Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1iGYsIphmN.exe

Overview

General Information

Sample name:1iGYsIphmN.exe
renamed because original name is a hash value
Original sample name:b550e3dc4795f15c0bfebd24cb130ce7.exe
Analysis ID:1540741
MD5:b550e3dc4795f15c0bfebd24cb130ce7
SHA1:7af5b5727b303d36d3255eda769c1d1bf2c57518
SHA256:04768fec909a41d9908a9a1ee4827e2f5debee21445be37c280bc8514c543c7b
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1iGYsIphmN.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\1iGYsIphmN.exe" MD5: B550E3DC4795F15C0BFEBD24CB130CE7)
    • 1iGYsIphmN.tmp (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp" /SL5="$20470,3807573,53248,C:\Users\user\Desktop\1iGYsIphmN.exe" MD5: BD4BFB94D85C372C939F660E464CFCD5)
      • dpfreevideoconverter3264.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i MD5: 3CBD9752E46D8042741DE2DE58F2B0DF)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["dluduxe.info"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2945690706.00000000026BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: dpfreevideoconverter3264.exe PID: 7440JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-24T04:32:54.689900+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:55.123047+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:58.301659+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:58.724173+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:59.144205+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:59.887916+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:33:00.750319+020020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:33:01.802299+020020494671A Network Trojan was detected192.168.2.449756185.208.158.20280TCP
        2024-10-24T04:33:02.230901+020020494671A Network Trojan was detected192.168.2.449756185.208.158.20280TCP
        2024-10-24T04:33:03.272506+020020494671A Network Trojan was detected192.168.2.449767185.208.158.20280TCP
        2024-10-24T04:33:03.681357+020020494671A Network Trojan was detected192.168.2.449767185.208.158.20280TCP
        2024-10-24T04:33:04.710407+020020494671A Network Trojan was detected192.168.2.449777185.208.158.20280TCP
        2024-10-24T04:33:05.771702+020020494671A Network Trojan was detected192.168.2.449781185.208.158.20280TCP
        2024-10-24T04:33:06.202187+020020494671A Network Trojan was detected192.168.2.449781185.208.158.20280TCP
        2024-10-24T04:33:07.237550+020020494671A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
        2024-10-24T04:33:07.652069+020020494671A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
        2024-10-24T04:33:08.693574+020020494671A Network Trojan was detected192.168.2.449801185.208.158.20280TCP
        2024-10-24T04:33:09.102719+020020494671A Network Trojan was detected192.168.2.449801185.208.158.20280TCP
        2024-10-24T04:33:10.214263+020020494671A Network Trojan was detected192.168.2.449807185.208.158.20280TCP
        2024-10-24T04:33:11.254590+020020494671A Network Trojan was detected192.168.2.449817185.208.158.20280TCP
        2024-10-24T04:33:11.667859+020020494671A Network Trojan was detected192.168.2.449817185.208.158.20280TCP
        2024-10-24T04:33:12.836205+020020494671A Network Trojan was detected192.168.2.449823185.208.158.20280TCP
        2024-10-24T04:33:13.264722+020020494671A Network Trojan was detected192.168.2.449823185.208.158.20280TCP
        2024-10-24T04:33:14.304086+020020494671A Network Trojan was detected192.168.2.449834185.208.158.20280TCP
        2024-10-24T04:33:15.697818+020020494671A Network Trojan was detected192.168.2.449840185.208.158.20280TCP
        2024-10-24T04:33:16.730395+020020494671A Network Trojan was detected192.168.2.449851185.208.158.20280TCP
        2024-10-24T04:33:17.779239+020020494671A Network Trojan was detected192.168.2.449857185.208.158.20280TCP
        2024-10-24T04:33:18.822413+020020494671A Network Trojan was detected192.168.2.449863185.208.158.20280TCP
        2024-10-24T04:33:19.855601+020020494671A Network Trojan was detected192.168.2.449869185.208.158.20280TCP
        2024-10-24T04:33:20.890687+020020494671A Network Trojan was detected192.168.2.449875185.208.158.20280TCP
        2024-10-24T04:33:21.915638+020020494671A Network Trojan was detected192.168.2.449882185.208.158.20280TCP
        2024-10-24T04:33:22.969091+020020494671A Network Trojan was detected192.168.2.449892185.208.158.20280TCP
        2024-10-24T04:33:24.006721+020020494671A Network Trojan was detected192.168.2.449898185.208.158.20280TCP
        2024-10-24T04:33:25.037051+020020494671A Network Trojan was detected192.168.2.449904185.208.158.20280TCP
        2024-10-24T04:33:25.451765+020020494671A Network Trojan was detected192.168.2.449904185.208.158.20280TCP
        2024-10-24T04:33:26.480810+020020494671A Network Trojan was detected192.168.2.449915185.208.158.20280TCP
        2024-10-24T04:33:27.515891+020020494671A Network Trojan was detected192.168.2.449921185.208.158.20280TCP
        2024-10-24T04:33:28.559515+020020494671A Network Trojan was detected192.168.2.449927185.208.158.20280TCP
        2024-10-24T04:33:29.601621+020020494671A Network Trojan was detected192.168.2.449933185.208.158.20280TCP
        2024-10-24T04:33:30.010526+020020494671A Network Trojan was detected192.168.2.449933185.208.158.20280TCP
        2024-10-24T04:33:31.041632+020020494671A Network Trojan was detected192.168.2.449944185.208.158.20280TCP
        2024-10-24T04:33:32.095799+020020494671A Network Trojan was detected192.168.2.449950185.208.158.20280TCP
        2024-10-24T04:33:33.140738+020020494671A Network Trojan was detected192.168.2.449956185.208.158.20280TCP
        2024-10-24T04:33:34.153707+020020494671A Network Trojan was detected192.168.2.449963185.208.158.20280TCP
        2024-10-24T04:33:35.188733+020020494671A Network Trojan was detected192.168.2.449971185.208.158.20280TCP
        2024-10-24T04:33:36.218532+020020494671A Network Trojan was detected192.168.2.449978185.208.158.20280TCP
        2024-10-24T04:33:37.248405+020020494671A Network Trojan was detected192.168.2.449984185.208.158.20280TCP
        2024-10-24T04:33:38.296537+020020494671A Network Trojan was detected192.168.2.449991185.208.158.20280TCP
        2024-10-24T04:33:39.330327+020020494671A Network Trojan was detected192.168.2.449997185.208.158.20280TCP
        2024-10-24T04:33:40.365498+020020494671A Network Trojan was detected192.168.2.450005185.208.158.20280TCP
        2024-10-24T04:33:40.776078+020020494671A Network Trojan was detected192.168.2.450005185.208.158.20280TCP
        2024-10-24T04:33:41.801042+020020494671A Network Trojan was detected192.168.2.450014185.208.158.20280TCP
        2024-10-24T04:33:42.218444+020020494671A Network Trojan was detected192.168.2.450014185.208.158.20280TCP
        2024-10-24T04:33:43.252301+020020494671A Network Trojan was detected192.168.2.450024185.208.158.20280TCP
        2024-10-24T04:33:44.306630+020020494671A Network Trojan was detected192.168.2.450030185.208.158.20280TCP
        2024-10-24T04:33:45.337480+020020494671A Network Trojan was detected192.168.2.450037185.208.158.20280TCP
        2024-10-24T04:33:46.376962+020020494671A Network Trojan was detected192.168.2.450043185.208.158.20280TCP
        2024-10-24T04:33:47.390698+020020494671A Network Trojan was detected192.168.2.450044185.208.158.20280TCP
        2024-10-24T04:33:48.424958+020020494671A Network Trojan was detected192.168.2.450045185.208.158.20280TCP
        2024-10-24T04:33:48.844623+020020494671A Network Trojan was detected192.168.2.450045185.208.158.20280TCP
        2024-10-24T04:33:49.893499+020020494671A Network Trojan was detected192.168.2.450046185.208.158.20280TCP
        2024-10-24T04:33:50.326568+020020494671A Network Trojan was detected192.168.2.450046185.208.158.20280TCP
        2024-10-24T04:33:51.367695+020020494671A Network Trojan was detected192.168.2.450047185.208.158.20280TCP
        2024-10-24T04:33:52.407841+020020494671A Network Trojan was detected192.168.2.450048185.208.158.20280TCP
        2024-10-24T04:33:53.621212+020020494671A Network Trojan was detected192.168.2.450049185.208.158.20280TCP
        2024-10-24T04:33:54.652410+020020494671A Network Trojan was detected192.168.2.450050185.208.158.20280TCP
        2024-10-24T04:33:55.683403+020020494671A Network Trojan was detected192.168.2.450051185.208.158.20280TCP
        2024-10-24T04:33:56.715613+020020494671A Network Trojan was detected192.168.2.450052185.208.158.20280TCP
        2024-10-24T04:33:57.779161+020020494671A Network Trojan was detected192.168.2.450053185.208.158.20280TCP
        2024-10-24T04:33:58.814520+020020494671A Network Trojan was detected192.168.2.450054185.208.158.20280TCP
        2024-10-24T04:33:59.858763+020020494671A Network Trojan was detected192.168.2.450055185.208.158.20280TCP
        2024-10-24T04:34:00.891135+020020494671A Network Trojan was detected192.168.2.450056185.208.158.20280TCP
        2024-10-24T04:34:01.940395+020020494671A Network Trojan was detected192.168.2.450057185.208.158.20280TCP
        2024-10-24T04:34:02.987629+020020494671A Network Trojan was detected192.168.2.450058185.208.158.20280TCP
        2024-10-24T04:34:04.035035+020020494671A Network Trojan was detected192.168.2.450059185.208.158.20280TCP
        2024-10-24T04:34:05.238295+020020494671A Network Trojan was detected192.168.2.450060185.208.158.20280TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-24T04:32:54.689900+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:55.123047+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:58.301659+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:58.724173+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:59.144205+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:32:59.887916+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:33:00.750319+020020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
        2024-10-24T04:33:01.802299+020020501121A Network Trojan was detected192.168.2.449756185.208.158.20280TCP
        2024-10-24T04:33:02.230901+020020501121A Network Trojan was detected192.168.2.449756185.208.158.20280TCP
        2024-10-24T04:33:03.272506+020020501121A Network Trojan was detected192.168.2.449767185.208.158.20280TCP
        2024-10-24T04:33:03.681357+020020501121A Network Trojan was detected192.168.2.449767185.208.158.20280TCP
        2024-10-24T04:33:04.710407+020020501121A Network Trojan was detected192.168.2.449777185.208.158.20280TCP
        2024-10-24T04:33:05.771702+020020501121A Network Trojan was detected192.168.2.449781185.208.158.20280TCP
        2024-10-24T04:33:06.202187+020020501121A Network Trojan was detected192.168.2.449781185.208.158.20280TCP
        2024-10-24T04:33:07.237550+020020501121A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
        2024-10-24T04:33:07.652069+020020501121A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
        2024-10-24T04:33:08.693574+020020501121A Network Trojan was detected192.168.2.449801185.208.158.20280TCP
        2024-10-24T04:33:09.102719+020020501121A Network Trojan was detected192.168.2.449801185.208.158.20280TCP
        2024-10-24T04:33:10.214263+020020501121A Network Trojan was detected192.168.2.449807185.208.158.20280TCP
        2024-10-24T04:33:11.254590+020020501121A Network Trojan was detected192.168.2.449817185.208.158.20280TCP
        2024-10-24T04:33:11.667859+020020501121A Network Trojan was detected192.168.2.449817185.208.158.20280TCP
        2024-10-24T04:33:12.836205+020020501121A Network Trojan was detected192.168.2.449823185.208.158.20280TCP
        2024-10-24T04:33:13.264722+020020501121A Network Trojan was detected192.168.2.449823185.208.158.20280TCP
        2024-10-24T04:33:14.304086+020020501121A Network Trojan was detected192.168.2.449834185.208.158.20280TCP
        2024-10-24T04:33:15.697818+020020501121A Network Trojan was detected192.168.2.449840185.208.158.20280TCP
        2024-10-24T04:33:16.730395+020020501121A Network Trojan was detected192.168.2.449851185.208.158.20280TCP
        2024-10-24T04:33:17.779239+020020501121A Network Trojan was detected192.168.2.449857185.208.158.20280TCP
        2024-10-24T04:33:18.822413+020020501121A Network Trojan was detected192.168.2.449863185.208.158.20280TCP
        2024-10-24T04:33:19.855601+020020501121A Network Trojan was detected192.168.2.449869185.208.158.20280TCP
        2024-10-24T04:33:20.890687+020020501121A Network Trojan was detected192.168.2.449875185.208.158.20280TCP
        2024-10-24T04:33:21.915638+020020501121A Network Trojan was detected192.168.2.449882185.208.158.20280TCP
        2024-10-24T04:33:22.969091+020020501121A Network Trojan was detected192.168.2.449892185.208.158.20280TCP
        2024-10-24T04:33:24.006721+020020501121A Network Trojan was detected192.168.2.449898185.208.158.20280TCP
        2024-10-24T04:33:25.037051+020020501121A Network Trojan was detected192.168.2.449904185.208.158.20280TCP
        2024-10-24T04:33:25.451765+020020501121A Network Trojan was detected192.168.2.449904185.208.158.20280TCP
        2024-10-24T04:33:26.480810+020020501121A Network Trojan was detected192.168.2.449915185.208.158.20280TCP
        2024-10-24T04:33:27.515891+020020501121A Network Trojan was detected192.168.2.449921185.208.158.20280TCP
        2024-10-24T04:33:28.559515+020020501121A Network Trojan was detected192.168.2.449927185.208.158.20280TCP
        2024-10-24T04:33:29.601621+020020501121A Network Trojan was detected192.168.2.449933185.208.158.20280TCP
        2024-10-24T04:33:30.010526+020020501121A Network Trojan was detected192.168.2.449933185.208.158.20280TCP
        2024-10-24T04:33:31.041632+020020501121A Network Trojan was detected192.168.2.449944185.208.158.20280TCP
        2024-10-24T04:33:32.095799+020020501121A Network Trojan was detected192.168.2.449950185.208.158.20280TCP
        2024-10-24T04:33:33.140738+020020501121A Network Trojan was detected192.168.2.449956185.208.158.20280TCP
        2024-10-24T04:33:34.153707+020020501121A Network Trojan was detected192.168.2.449963185.208.158.20280TCP
        2024-10-24T04:33:35.188733+020020501121A Network Trojan was detected192.168.2.449971185.208.158.20280TCP
        2024-10-24T04:33:36.218532+020020501121A Network Trojan was detected192.168.2.449978185.208.158.20280TCP
        2024-10-24T04:33:37.248405+020020501121A Network Trojan was detected192.168.2.449984185.208.158.20280TCP
        2024-10-24T04:33:38.296537+020020501121A Network Trojan was detected192.168.2.449991185.208.158.20280TCP
        2024-10-24T04:33:39.330327+020020501121A Network Trojan was detected192.168.2.449997185.208.158.20280TCP
        2024-10-24T04:33:40.365498+020020501121A Network Trojan was detected192.168.2.450005185.208.158.20280TCP
        2024-10-24T04:33:40.776078+020020501121A Network Trojan was detected192.168.2.450005185.208.158.20280TCP
        2024-10-24T04:33:41.801042+020020501121A Network Trojan was detected192.168.2.450014185.208.158.20280TCP
        2024-10-24T04:33:42.218444+020020501121A Network Trojan was detected192.168.2.450014185.208.158.20280TCP
        2024-10-24T04:33:43.252301+020020501121A Network Trojan was detected192.168.2.450024185.208.158.20280TCP
        2024-10-24T04:33:44.306630+020020501121A Network Trojan was detected192.168.2.450030185.208.158.20280TCP
        2024-10-24T04:33:45.337480+020020501121A Network Trojan was detected192.168.2.450037185.208.158.20280TCP
        2024-10-24T04:33:46.376962+020020501121A Network Trojan was detected192.168.2.450043185.208.158.20280TCP
        2024-10-24T04:33:47.390698+020020501121A Network Trojan was detected192.168.2.450044185.208.158.20280TCP
        2024-10-24T04:33:48.424958+020020501121A Network Trojan was detected192.168.2.450045185.208.158.20280TCP
        2024-10-24T04:33:48.844623+020020501121A Network Trojan was detected192.168.2.450045185.208.158.20280TCP
        2024-10-24T04:33:49.893499+020020501121A Network Trojan was detected192.168.2.450046185.208.158.20280TCP
        2024-10-24T04:33:50.326568+020020501121A Network Trojan was detected192.168.2.450046185.208.158.20280TCP
        2024-10-24T04:33:51.367695+020020501121A Network Trojan was detected192.168.2.450047185.208.158.20280TCP
        2024-10-24T04:33:52.407841+020020501121A Network Trojan was detected192.168.2.450048185.208.158.20280TCP
        2024-10-24T04:33:53.621212+020020501121A Network Trojan was detected192.168.2.450049185.208.158.20280TCP
        2024-10-24T04:33:54.652410+020020501121A Network Trojan was detected192.168.2.450050185.208.158.20280TCP
        2024-10-24T04:33:55.683403+020020501121A Network Trojan was detected192.168.2.450051185.208.158.20280TCP
        2024-10-24T04:33:56.715613+020020501121A Network Trojan was detected192.168.2.450052185.208.158.20280TCP
        2024-10-24T04:33:57.779161+020020501121A Network Trojan was detected192.168.2.450053185.208.158.20280TCP
        2024-10-24T04:33:58.814520+020020501121A Network Trojan was detected192.168.2.450054185.208.158.20280TCP
        2024-10-24T04:33:59.858763+020020501121A Network Trojan was detected192.168.2.450055185.208.158.20280TCP
        2024-10-24T04:34:00.891135+020020501121A Network Trojan was detected192.168.2.450056185.208.158.20280TCP
        2024-10-24T04:34:01.940395+020020501121A Network Trojan was detected192.168.2.450057185.208.158.20280TCP
        2024-10-24T04:34:02.987629+020020501121A Network Trojan was detected192.168.2.450058185.208.158.20280TCP
        2024-10-24T04:34:04.035035+020020501121A Network Trojan was detected192.168.2.450059185.208.158.20280TCP
        2024-10-24T04:34:05.238295+020020501121A Network Trojan was detected192.168.2.450060185.208.158.20280TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 1iGYsIphmN.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeAvira: detection malicious, Label: HEUR/AGEN.1314739
        Source: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeAvira: detection malicious, Label: HEUR/AGEN.1314739
        Found malware configuration
        Source: dpfreevideoconverter3264.exe.7440.2.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["dluduxe.info"]}
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045A4FC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045A4FC
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045A5C8 ArcFourCrypt,1_2_0045A5C8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045A5B0 ArcFourCrypt,1_2_0045A5B0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 2.2.dpfreevideoconverter3264.exe.400000.0.unpack
        Source: 1iGYsIphmN.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047819C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047819C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0046E788 FindFirstFileA,FindNextFileA,FindClose,1_2_0046E788
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045105C FindFirstFileA,GetLastError,1_2_0045105C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004760AC FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_004760AC
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045EB08 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045EB08
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045EF84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045EF84
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0048F0A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0048F0A0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045D584 FindFirstFileA,FindNextFileA,FindClose,1_2_0045D584
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49736 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49736 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49767 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49767 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49756 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49781 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49834 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49834 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49781 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49801 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49756 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49823 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49857 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49807 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49801 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49823 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49863 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49863 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49898 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49807 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49790 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49857 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49790 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49898 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49927 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49927 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49915 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49915 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49875 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49875 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49944 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49944 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49892 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49950 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49817 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49956 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49950 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49956 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49921 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49921 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49817 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49869 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49869 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49840 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49840 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49892 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49963 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49991 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49963 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49991 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49851 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49971 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49851 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49984 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49971 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49984 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49997 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49997 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50014 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50024 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50014 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50024 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49777 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49777 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49978 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49978 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50045 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50049 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50045 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49882 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50049 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50058 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50050 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50058 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50050 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49882 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50054 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50054 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50055 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50043 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50043 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50055 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50044 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50060 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50051 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50051 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50060 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50044 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50053 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50056 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50053 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50056 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49904 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50046 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49904 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50046 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50048 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49933 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50048 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49933 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50059 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50037 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50047 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50059 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50037 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50047 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50057 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50057 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50005 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50005 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50030 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50030 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50052 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50052 -> 185.208.158.202:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: dluduxe.info
        Source: global trafficTCP traffic: 192.168.2.4:49738 -> 89.105.201.183:2023
        Source: Joe Sandbox ViewIP Address: 185.208.158.202 185.208.158.202
        Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BD72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_free,2_2_02BD72AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1Host: dluduxe.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: dluduxe.info
        Source: dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.0000000000849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/
        Source: dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.000000000080B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eC
        Source: dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec918
        Source: dpfreevideoconverter3264.exe, 00000002.00000002.2946047980.00000000032B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684193764.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000002.2944971675.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686459777.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686546336.000000000212C000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944902525.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2945091995.000000000211D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-QN9PD.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-E2R8F.tmp.1.drString found in binary or memory: http://tukaani.org/
        Source: is-E2R8F.tmp.1.drString found in binary or memory: http://tukaani.org/xz/
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684193764.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000002.2944971675.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686459777.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686546336.000000000212C000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944902525.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2945091995.000000000211D000.00000004.00001000.00020000.00000000.sdmp, is-S28N5.tmp.1.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: 1iGYsIphmN.tmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drString found in binary or memory: http://www.innosetup.com/
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drString found in binary or memory: http://www.remobjects.com/?ps
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drString found in binary or memory: http://www.remobjects.com/?psU
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0042ECCC NtdllDefWindowProc_A,1_2_0042ECCC
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00423B1C NtdllDefWindowProc_A,1_2_00423B1C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00412570 NtdllDefWindowProc_A,1_2_00412570
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00455074 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00455074
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004718F0 NtdllDefWindowProc_A,1_2_004718F0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0042E6BC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6BC
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00453978 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453978
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004082E80_2_004082E8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004620A81_2_004620A8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0046A2841_2_0046A284
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004349C01_2_004349C0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00478DF11_2_00478DF1
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004640C41_2_004640C4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004441001_2_00444100
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047E4E01_2_0047E4E0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004305641_2_00430564
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045876C1_2_0045876C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004447F81_2_004447F8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00444C041_2_00444C04
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00484EC01_2_00484EC0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0043D3E01_2_0043D3E0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045B5141_2_0045B514
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00443B581_2_00443B58
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0042FB081_2_0042FB08
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00433CBC1_2_00433CBC
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_00406C472_2_00406C47
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_004010512_2_00401051
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_00401C262_2_00401C26
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BEE24D2_2_02BEE24D
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BDF0712_2_02BDF071
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BF4EE92_2_02BF4EE9
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BF2E742_2_02BF2E74
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BEE6652_2_02BEE665
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BE9F442_2_02BE9F44
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BEACFA2_2_02BEACFA
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BE85032_2_02BE8503
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BEDD592_2_02BEDD59
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02C0BF782_2_02C0BF78
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02C0BF292_2_02C0BF29
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02C0B4E52_2_02C0B4E5
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00405964 appears 100 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00445734 appears 58 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00403400 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00406A1C appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00407884 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00408B9C appears 44 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00445464 appears 44 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00433BD4 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00403494 appears 83 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 004559F0 appears 65 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00451940 appears 70 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 00403684 appears 203 times
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: String function: 004557F0 appears 95 times
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: String function: 02BF53F0 appears 137 times
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: String function: 02BE8BA0 appears 37 times
        Source: 1iGYsIphmN.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: 1iGYsIphmN.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: 1iGYsIphmN.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: 1iGYsIphmN.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-DIJPO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-DIJPO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: is-DIJPO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-DIJPO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-VF2DQ.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-S28N5.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-TD2RN.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-5KNMT.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-QN9PD.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-UHH4I.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-D04C6.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-H32UM.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-AAVDI.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-5NT2B.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-E2R8F.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 1iGYsIphmN.exe
        Source: 1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename! vs 1iGYsIphmN.exe
        Source: 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 1iGYsIphmN.exe
        Source: 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename! vs 1iGYsIphmN.exe
        Source: 1iGYsIphmN.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/69@1/2
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BE08C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,2_2_02BE08C0
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00453978 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453978
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004541A0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_004541A0
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CloseServiceHandle,CreateServiceA,2_2_0040288A
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00454624 CoCreateInstance,CoCreateInstance,SysFreeString,1_2_00454624
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00409A00 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409A00
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_004025AA StartServiceCtrlDispatcherA,2_2_004025AA
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_004025AA StartServiceCtrlDispatcherA,2_2_004025AA
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video ConverterJump to behavior
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeFile created: C:\Users\user\AppData\Local\Temp\is-92VMD.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeFile read: C:\Users\user\Desktop\1iGYsIphmN.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\1iGYsIphmN.exe "C:\Users\user\Desktop\1iGYsIphmN.exe"
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeProcess created: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp "C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp" /SL5="$20470,3807573,53248,C:\Users\user\Desktop\1iGYsIphmN.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeProcess created: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp "C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp" /SL5="$20470,3807573,53248,C:\Users\user\Desktop\1iGYsIphmN.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: 1iGYsIphmN.exeStatic file information: File size 4079665 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 2.2.dpfreevideoconverter3264.exe.400000.0.unpack .hreg5:EW;.ireg5:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 2.2.dpfreevideoconverter3264.exe.400000.0.unpack
        Source: is-PA2IE.tmp.1.drStatic PE information: 0x8C00008C [Mon Jun 6 07:19:40 2044 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00447B9C LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447B9C
        Source: initial sampleStatic PE information: section where entry point is pointing to: .hreg5
        Source: dpfreevideoconverter3264.exe.1.drStatic PE information: section name: .hreg5
        Source: dpfreevideoconverter3264.exe.1.drStatic PE information: section name: .ireg5
        Source: is-SL8EF.tmp.1.drStatic PE information: section name: /4
        Source: is-UHH4I.tmp.1.drStatic PE information: section name: /4
        Source: is-D04C6.tmp.1.drStatic PE information: section name: /4
        Source: is-3GJGM.tmp.1.drStatic PE information: section name: /4
        Source: is-CEHUB.tmp.1.drStatic PE information: section name: /4
        Source: is-GTFMU.tmp.1.drStatic PE information: section name: /4
        Source: is-S28N5.tmp.1.drStatic PE information: section name: /4
        Source: is-PA2IE.tmp.1.drStatic PE information: section name: /4
        Source: is-22RU2.tmp.1.drStatic PE information: section name: /4
        Source: is-E2R8F.tmp.1.drStatic PE information: section name: /4
        Source: is-14NDM.tmp.1.drStatic PE information: section name: /4
        Source: is-AAVDI.tmp.1.drStatic PE information: section name: /4
        Source: is-J8SQ7.tmp.1.drStatic PE information: section name: /4
        Source: is-TD2RN.tmp.1.drStatic PE information: section name: /4
        Source: is-VF2DQ.tmp.1.drStatic PE information: section name: /4
        Source: is-H32UM.tmp.1.drStatic PE information: section name: /4
        Source: is-5NT2B.tmp.1.drStatic PE information: section name: /4
        Source: is-MAT0T.tmp.1.drStatic PE information: section name: /4
        Source: is-5KNMT.tmp.1.drStatic PE information: section name: /4
        Source: is-C1BN7.tmp.1.drStatic PE information: section name: /4
        Source: is-I40JV.tmp.1.drStatic PE information: section name: /4
        Source: is-F65BV.tmp.1.drStatic PE information: section name: /4
        Source: is-29ID7.tmp.1.drStatic PE information: section name: /4
        Source: is-T761O.tmp.1.drStatic PE information: section name: /4
        Source: is-HGCFL.tmp.1.drStatic PE information: section name: /4
        Source: is-QN9PD.tmp.1.drStatic PE information: section name: /4
        Source: is-12LVF.tmp.1.drStatic PE information: section name: /4
        Source: DP Free Video Converter 10.23.46.exe.2.drStatic PE information: section name: .hreg5
        Source: DP Free Video Converter 10.23.46.exe.2.drStatic PE information: section name: .ireg5
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00408D90 push 00408DC3h; ret 0_2_00408DBB
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax0_2_00407FE5
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004098DC push 00409919h; ret 1_2_00409911
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004062BC push ecx; mov dword ptr [esp], eax1_2_004062BD
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00430564 push ecx; mov dword ptr [esp], eax1_2_00430569
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00410668 push ecx; mov dword ptr [esp], edx1_2_0041066D
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004128C0 push 00412923h; ret 1_2_0041291B
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004508F8 push 0045092Bh; ret 1_2_00450923
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00442AD0 push ecx; mov dword ptr [esp], ecx1_2_00442AD4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00470C04 push ecx; mov dword ptr [esp], edx1_2_00470C05
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0040CFC0 push ecx; mov dword ptr [esp], edx1_2_0040CFC2
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045725C push 004572A0h; ret 1_2_00457298
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045B20C push ecx; mov dword ptr [esp], eax1_2_0045B211
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047D4C0 push ecx; mov dword ptr [esp], ecx1_2_0047D4C5
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0040F520 push ecx; mov dword ptr [esp], edx1_2_0040F522
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00455A8C push 00455AC4h; ret 1_2_00455ABC
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00419BC0 push ecx; mov dword ptr [esp], ecx1_2_00419BC5
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047BE6C push 0047BF4Ah; ret 1_2_0047BF42
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00409FD7 push ds; ret 1_2_00409FD8

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02BDF89A
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeFile created: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-T761O.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-HGCFL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-PA2IE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-AAVDI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-QN9PD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-UHH4I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-3GJGM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-12LVF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-GTFMU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-5KNMT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-S28N5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile created: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-F65BV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-SL8EF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-H32UM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-C1BN7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-14NDM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-E2R8F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-29ID7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-I40JV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-TD2RN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-22RU2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-MAT0T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-CEHUB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-DIJPO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-5NT2B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-VF2DQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-D04C6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-J8SQ7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile created: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02BDF89A
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_004025AA StartServiceCtrlDispatcherA,2_2_004025AA
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00423BA4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423BA4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00423BA4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423BA4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00424174 IsIconic,SetActiveWindow,SetFocus,1_2_00424174
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0042412C IsIconic,SetActiveWindow,1_2_0042412C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0041831C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0041831C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004227F4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004227F4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00417530 IsIconic,GetCapture,1_2_00417530
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047B83C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047B83C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00417C66 IsIconic,SetWindowPos,1_2_00417C66
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00417C68 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C68
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0044A9DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044A9DC
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_00401B4B
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_02BDF99E
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeWindow / User API: threadDelayed 8157Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeWindow / User API: threadDelayed 1711Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-T761O.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-HGCFL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-PA2IE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-AAVDI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-QN9PD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-UHH4I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-12LVF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-3GJGM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-GTFMU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-5KNMT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-S28N5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-F65BV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-SL8EF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-H32UM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-C1BN7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-14NDM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-29ID7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-E2R8F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-I40JV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-TD2RN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-22RU2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-MAT0T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-CEHUB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-DIJPO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-5NT2B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-VF2DQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-D04C6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-J8SQ7.tmpJump to dropped file
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5647
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-22169
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7444Thread sleep count: 8157 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7444Thread sleep time: -16314000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7888Thread sleep count: 56 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7888Thread sleep time: -3360000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7444Thread sleep count: 1711 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7444Thread sleep time: -3422000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047819C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047819C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0046E788 FindFirstFileA,FindNextFileA,FindClose,1_2_0046E788
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045105C FindFirstFileA,GetLastError,1_2_0045105C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_004760AC FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_004760AC
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045EB08 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045EB08
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045EF84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045EF84
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0048F0A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0048F0A0
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0045D584 FindFirstFileA,FindNextFileA,FindClose,1_2_0045D584
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00409944 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409944
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: dpfreevideoconverter3264.exe, 00000002.00000002.2946047980.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.0000000000758000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000002.00000002.2946047980.00000000032C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeAPI call chain: ExitProcess graph end nodegraph_0-6661
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeAPI call chain: ExitProcess graph end nodegraph_2-22389
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BF01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02BF01BE
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BF01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02BF01BE
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00447B9C LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447B9C
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BD648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,2_2_02BD648B
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BE9528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02BE9528
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0047138C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_0047138C
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_0042DE9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042DE9C
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 2_2_02BE806E cpuid 2_2_02BE806E
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: GetLocaleInfoA,0_2_0040515C
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: GetLocaleInfoA,0_2_004051A8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: GetLocaleInfoA,1_2_004084F8
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: GetLocaleInfoA,1_2_00408544
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00456538 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00456538
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmpCode function: 1_2_00453930 GetUserNameA,1_2_00453930
        Source: C:\Users\user\Desktop\1iGYsIphmN.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000002.00000002.2945690706.00000000026BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dpfreevideoconverter3264.exe PID: 7440, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000002.00000002.2945690706.00000000026BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dpfreevideoconverter3264.exe PID: 7440, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		4
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets41
        Security Software Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync11
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem3
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1iGYsIphmN.exe8%ReversingLabs
        1iGYsIphmN.exe100%AviraHEUR/AGEN.1332570

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe100%AviraHEUR/AGEN.1314739
        C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe100%AviraHEUR/AGEN.1314739
        C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe100%Joe Sandbox ML
        C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\DP Free Video Converter\is-12LVF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-14NDM.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-22RU2.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-29ID7.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-3GJGM.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-5KNMT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-5NT2B.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-AAVDI.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-C1BN7.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-CEHUB.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-D04C6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-E2R8F.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-F65BV.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-GTFMU.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-H32UM.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-HGCFL.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-I40JV.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-J8SQ7.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-MAT0T.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-PA2IE.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-QN9PD.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-S28N5.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-SL8EF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-T761O.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-TD2RN.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-UHH4I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-VF2DQ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-DIJPO.tmp3%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)3%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://fsf.org/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dluduxe.info
        		185.208.158.202
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://dluduxe.info/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923btrue
            		unknown
            dluduxe.infotrue
              		unknown
              http://dluduxe.info/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16true
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/1iGYsIphmN.tmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drfalse
                • URL Reputation: safe
                		unknown
                http://tukaani.org/is-E2R8F.tmp.1.drfalse
                  		unknown
                  http://tukaani.org/xz/is-E2R8F.tmp.1.drfalse
                    		unknown
                    http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eCdpfreevideoconverter3264.exe, 00000002.00000002.2945022321.000000000080B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.208.158.202/dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.0000000000849000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://mingw-w64.sourceforge.net/Xis-QN9PD.tmp.1.drfalse
                          		unknown
                          http://www.remobjects.com/?ps1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drfalse
                            		unknown
                            http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec918dpfreevideoconverter3264.exe, 00000002.00000002.2945022321.0000000000758000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://fsf.org/1iGYsIphmN.exe, 00000000.00000003.1684193764.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000002.2944971675.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686459777.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686546336.000000000212C000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944902525.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2945091995.000000000211D000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82ddpfreevideoconverter3264.exe, 00000002.00000002.2946047980.00000000032B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.gnu.org/licenses/1iGYsIphmN.exe, 00000000.00000003.1684193764.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000002.2944971675.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686459777.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000003.1686546336.000000000212C000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944902525.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2945091995.000000000211D000.00000004.00001000.00020000.00000000.sdmp, is-S28N5.tmp.1.drfalse
                                  		unknown
                                  http://www.remobjects.com/?psU1iGYsIphmN.exe, 00000000.00000003.1684664930.0000000002320000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.exe, 00000000.00000003.1685006491.00000000020C4000.00000004.00001000.00020000.00000000.sdmp, 1iGYsIphmN.tmp, 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 1iGYsIphmN.tmp.0.dr, is-DIJPO.tmp.1.drfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.208.158.202
                                    		dluduxe.infoSwitzerland
                                    		34888SIMPLECARRER2ITtrue
                                    89.105.201.183
                                    		unknownNetherlands
                                    		24875NOVOSERVE-ASNLfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1540741
                                    Start date and time:2024-10-24 04:31:06 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:7
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:1iGYsIphmN.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:b550e3dc4795f15c0bfebd24cb130ce7.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@5/69@1/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 91%
                                    • Number of executed functions: 181
                                    • Number of non-executed functions: 237
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: 1iGYsIphmN.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    22:32:34API Interceptor533501x Sleep call for process: dpfreevideoconverter3264.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.208.158.202XettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                      7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                        r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                          NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                            239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                              PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                  V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                    WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                      r89xjCQs8A.exeGet hashmaliciousSocks5SystemzBrowse
                                                        89.105.201.183N6jsQ3XNNX.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 200
                                                        cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 200

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SIMPLECARRER2ITXettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        r89xjCQs8A.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.202
                                                        NOVOSERVE-ASNLla.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                        • 89.105.208.192
                                                        239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        r89xjCQs8A.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        bAmSLrOrem.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        MOf0GCHrzJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        ywqsUiCsOs.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        Yb6D4ggK6O.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        b6f3325a89a735a16e5edfe56f8f8814251063d0d2ee6.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183
                                                        e6kw4rfwr3.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 89.105.201.183

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Local\DP Free Video Converter\is-12LVF.tmpXettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                                          7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                                              NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                                                239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          r89xjCQs8A.exeGet hashmaliciousSocks5SystemzBrowse

                                                                            Created / dropped Files

                                                                            C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2799616
                                                                            Entropy (8bit):6.558624767568604
                                                                            Encrypted:false
                                                                            SSDEEP:24576:FLPEJzxFlbTQDlL/P/xt3MEul4PUVJuHhExmm4pW7Fyass+NXti5Yqhppq1E/joV:eFlbe3Jt2G3OiXIv7hTjsW4L8wBHg
                                                                            MD5:3CBD9752E46D8042741DE2DE58F2B0DF
                                                                            SHA1:0C7676FD0800827397754F94C4E20577C215FC15
                                                                            SHA-256:CD577F1C470AA8FAC9CF894D5E873D130C6F04ED63D22AA116D8B72FC72E51AF
                                                                            SHA-512:81135A0D60D6835C3B6334E623351657956784A63F854E901631322AEE9F2A3485D0B0C73FCDB4F657F14A7AC68AE9CFE57A2AE9AD11D95C0795186B98005EAC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../-.L.................."..F........"......."...@..........................P+.......+.....................................\.".@.....#..p............................................................................"..............................hreg5..:.".......".................`....ireg5...;...."..<....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...F#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\dp1023it46.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:K8Cl/l:KD
                                                                            MD5:DB00DDA4E88EB8E58C1C6273EADB6DF6
                                                                            SHA1:BB923F61EC7C2A9EC9D69C33B2E33487AD7BF2EF
                                                                            SHA-256:2C5DD6726B41993E109A200ECBFA7B9AA70DF50D3A4E43CB4F0257C3A525737E
                                                                            SHA-512:925EAE7F3F460896303120EABEAC62A3A58BDF857B26315E415413F3B3F6DEE2E1C9B1ADDDB329039E4E4CEF290A2F47C21AC1210F8FF77201B96B3AEFE59FCE
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:..g....

                                                                            C:\ProgramData\dp1023rc46.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4
                                                                            Entropy (8bit):0.8112781244591328
                                                                            Encrypted:false
                                                                            SSDEEP:3:k:k
                                                                            MD5:A9D3C3F72A8AF78C3497847E11CA8C2F
                                                                            SHA1:0726FE07F58D10AEF41A74AF4E0EA2C608BA93E3
                                                                            SHA-256:6CB5A8EC7215303AF880F8BA134519B2C53A4B261CDB55A06FE64385E6FDC484
                                                                            SHA-512:FD6308771A601BC89C942557B17850404E8DED90678F48D49BA623F1EFFCFEC93BE704442E9E0213648FC23FE5659C9A6BD8E56757792F398941DAF7CD0824C0
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:I...

                                                                            C:\ProgramData\dp1023resa.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):2.9545817380615236
                                                                            Encrypted:false
                                                                            SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                            MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                            SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                            SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                            SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                            C:\ProgramData\dp1023resb.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):1.7095628900165245
                                                                            Encrypted:false
                                                                            SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                            MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                            SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                            SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                            SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):2799616
                                                                            Entropy (8bit):6.558624767568604
                                                                            Encrypted:false
                                                                            SSDEEP:24576:FLPEJzxFlbTQDlL/P/xt3MEul4PUVJuHhExmm4pW7Fyass+NXti5Yqhppq1E/joV:eFlbe3Jt2G3OiXIv7hTjsW4L8wBHg
                                                                            MD5:3CBD9752E46D8042741DE2DE58F2B0DF
                                                                            SHA1:0C7676FD0800827397754F94C4E20577C215FC15
                                                                            SHA-256:CD577F1C470AA8FAC9CF894D5E873D130C6F04ED63D22AA116D8B72FC72E51AF
                                                                            SHA-512:81135A0D60D6835C3B6334E623351657956784A63F854E901631322AEE9F2A3485D0B0C73FCDB4F657F14A7AC68AE9CFE57A2AE9AD11D95C0795186B98005EAC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../-.L.................."..F........"......."...@..........................P+.......+.....................................\.".@.....#..p............................................................................"..............................hreg5..:.".......".................`....ireg5...;...."..<....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...F#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-12LVF.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):98626
                                                                            Entropy (8bit):6.478068795827396
                                                                            Encrypted:false
                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: XettQ15qw4.exe, Detection: malicious, Browse
                                                                            • Filename: 7rBLc6cmJZ.exe, Detection: malicious, Browse
                                                                            • Filename: r1LQ3TmnJT.exe, Detection: malicious, Browse
                                                                            • Filename: NebHwSvhee.exe, Detection: malicious, Browse
                                                                            • Filename: 239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exe, Detection: malicious, Browse
                                                                            • Filename: PWT2xZ7185.exe, Detection: malicious, Browse
                                                                            • Filename: mSQRCKjhxz.exe, Detection: malicious, Browse
                                                                            • Filename: V2sD5e8M9n.exe, Detection: malicious, Browse
                                                                            • Filename: WwlZEpBtps.exe, Detection: malicious, Browse
                                                                            • Filename: r89xjCQs8A.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-14NDM.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):121524
                                                                            Entropy (8bit):6.347995296737745
                                                                            Encrypted:false
                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-22RU2.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):397808
                                                                            Entropy (8bit):6.396146399966879
                                                                            Encrypted:false
                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-29ID7.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248694
                                                                            Entropy (8bit):6.346971642353424
                                                                            Encrypted:false
                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-3GJGM.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):174543
                                                                            Entropy (8bit):6.3532700320638025
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-5KNMT.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):101544
                                                                            Entropy (8bit):6.237382830377451
                                                                            Encrypted:false
                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-5NT2B.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):92019
                                                                            Entropy (8bit):5.974787373427489
                                                                            Encrypted:false
                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-AAVDI.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):814068
                                                                            Entropy (8bit):6.5113626552096
                                                                            Encrypted:false
                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-C1BN7.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):291245
                                                                            Entropy (8bit):6.234245376773595
                                                                            Encrypted:false
                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-CEHUB.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):235032
                                                                            Entropy (8bit):6.398850087061798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-D04C6.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337171
                                                                            Entropy (8bit):6.46334441651647
                                                                            Encrypted:false
                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-E2R8F.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):171848
                                                                            Entropy (8bit):6.579154579239999
                                                                            Encrypted:false
                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-F65BV.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248781
                                                                            Entropy (8bit):6.474165596279956
                                                                            Encrypted:false
                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-GTFMU.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):441975
                                                                            Entropy (8bit):6.372283713065844
                                                                            Encrypted:false
                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-H32UM.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64724
                                                                            Entropy (8bit):5.910307743399971
                                                                            Encrypted:false
                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-HGCFL.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):448557
                                                                            Entropy (8bit):6.353356595345232
                                                                            Encrypted:false
                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-I40JV.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):706136
                                                                            Entropy (8bit):6.517672165992715
                                                                            Encrypted:false
                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-J8SQ7.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):268404
                                                                            Entropy (8bit):6.265024248848175
                                                                            Encrypted:false
                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-MAT0T.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):165739
                                                                            Entropy (8bit):6.062324507479428
                                                                            Encrypted:false
                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-PA2IE.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):509934
                                                                            Entropy (8bit):6.031080686301204
                                                                            Encrypted:false
                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-QN9PD.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):65181
                                                                            Entropy (8bit):6.085572761520829
                                                                            Encrypted:false
                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-S28N5.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):140752
                                                                            Entropy (8bit):6.52778891175594
                                                                            Encrypted:false
                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-SL8EF.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):463112
                                                                            Entropy (8bit):6.363613724826455
                                                                            Encrypted:false
                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-T4R81.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):2799616
                                                                            Entropy (8bit):6.558624437498354
                                                                            Encrypted:false
                                                                            SSDEEP:24576:uLPEJzxFlbTQDlL/P/xt3MEul4PUVJuHhExmm4pW7Fyass+NXti5Yqhppq1E/joV:VFlbe3Jt2G3OiXIv7hTjsW4L8wBHg
                                                                            MD5:96ED0BCBB1E7E3D00D46319B2B3EC8EC
                                                                            SHA1:FB2860CE0402FF0A5AAFE43A640FDDF6EBFCC195
                                                                            SHA-256:2D6425D9C8543BCB6F5DF4E247A8A017BA32D426444A290BB39994297ADF9349
                                                                            SHA-512:7FEE9AD0CE00F63E408DCC5F030B4E9DD8EB01B8AA1774E6F8729ECF5A47C5EBABC4DB9FBCA11B105C6311DAE2FE9F4BB51DAB8E57231E561DF28E07CE96EF3E
                                                                            Malicious:false
                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../-.L.................."..F........"......."...@..........................P+.......+.....................................\.".@.....#..p............................................................................"..............................hreg5..:.".......".................`....ireg5...;...."..<....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...F#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-T761O.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):30994
                                                                            Entropy (8bit):5.666281517516177
                                                                            Encrypted:false
                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-TD2RN.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):181527
                                                                            Entropy (8bit):6.362061002967905
                                                                            Encrypted:false
                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-UHH4I.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26562
                                                                            Entropy (8bit):5.606958768500933
                                                                            Encrypted:false
                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-VF2DQ.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):259014
                                                                            Entropy (8bit):6.075222655669795
                                                                            Encrypted:false
                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):121524
                                                                            Entropy (8bit):6.347995296737745
                                                                            Encrypted:false
                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):814068
                                                                            Entropy (8bit):6.5113626552096
                                                                            Encrypted:false
                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):181527
                                                                            Entropy (8bit):6.362061002967905
                                                                            Encrypted:false
                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):268404
                                                                            Entropy (8bit):6.265024248848175
                                                                            Encrypted:false
                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):463112
                                                                            Entropy (8bit):6.363613724826455
                                                                            Encrypted:false
                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26562
                                                                            Entropy (8bit):5.606958768500933
                                                                            Encrypted:false
                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337171
                                                                            Entropy (8bit):6.46334441651647
                                                                            Encrypted:false
                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):174543
                                                                            Entropy (8bit):6.3532700320638025
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):235032
                                                                            Entropy (8bit):6.398850087061798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):441975
                                                                            Entropy (8bit):6.372283713065844
                                                                            Encrypted:false
                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):140752
                                                                            Entropy (8bit):6.52778891175594
                                                                            Encrypted:false
                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):509934
                                                                            Entropy (8bit):6.031080686301204
                                                                            Encrypted:false
                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):397808
                                                                            Entropy (8bit):6.396146399966879
                                                                            Encrypted:false
                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):171848
                                                                            Entropy (8bit):6.579154579239999
                                                                            Encrypted:false
                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):259014
                                                                            Entropy (8bit):6.075222655669795
                                                                            Encrypted:false
                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64724
                                                                            Entropy (8bit):5.910307743399971
                                                                            Encrypted:false
                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):92019
                                                                            Entropy (8bit):5.974787373427489
                                                                            Encrypted:false
                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):165739
                                                                            Entropy (8bit):6.062324507479428
                                                                            Encrypted:false
                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):101544
                                                                            Entropy (8bit):6.237382830377451
                                                                            Encrypted:false
                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):291245
                                                                            Entropy (8bit):6.234245376773595
                                                                            Encrypted:false
                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):706136
                                                                            Entropy (8bit):6.517672165992715
                                                                            Encrypted:false
                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248781
                                                                            Entropy (8bit):6.474165596279956
                                                                            Encrypted:false
                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248694
                                                                            Entropy (8bit):6.346971642353424
                                                                            Encrypted:false
                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):30994
                                                                            Entropy (8bit):5.666281517516177
                                                                            Encrypted:false
                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):448557
                                                                            Entropy (8bit):6.353356595345232
                                                                            Encrypted:false
                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):65181
                                                                            Entropy (8bit):6.085572761520829
                                                                            Encrypted:false
                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-DIJPO.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):691481
                                                                            Entropy (8bit):6.478892626527981
                                                                            Encrypted:false
                                                                            SSDEEP:12288:bNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNvwnsjxGO:xuz2eVrPw7373zHEA6hQz4OWDjtSsjxX
                                                                            MD5:FBB39D2A2C18A46AE884360B8A9663FB
                                                                            SHA1:A97BA99992E12F9BB3B6CA1D0CB1B577ED5013A7
                                                                            SHA-256:BBFAEC780C0BF859F50D4D0E5F802782444538F0DE01FB787D46DC3C57FE14FE
                                                                            SHA-512:8A971DD04D321B2FDA8F66F29EF010D34F68569439322B883D6DEFD7385F808C68558A19BEC46DA52A421EF7832883994C6EA55981717212C1C3555856A1E5B9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:InnoSetup Log DP Free Video Converter, version 0x30, 5955 bytes, 675052\user, "C:\Users\user\AppData\Local\DP Free Video Converter"
                                                                            Category:dropped
                                                                            Size (bytes):5955
                                                                            Entropy (8bit):4.866502768905672
                                                                            Encrypted:false
                                                                            SSDEEP:96:qw2WGT8Bpaowg/9sE+eOIhACQlyT0eqaxeFmky8KaqXN/A4Rjv3Js/4BSy:qw2WGTOpaowlHIhSby
                                                                            MD5:9AF634E533A44CD9FECF735EFEDB87E1
                                                                            SHA1:428CE8193A709B7B975E3A56491A193551C739A4
                                                                            SHA-256:109A3EFA9C7D5932C65FFF90B0FFA7DD0AA64C942EDB9D568E344D650F8CA0AD
                                                                            SHA-512:433CF7F42369551AA0B36631B19E9364984FF5CEE052D99E96E1A123CBA86D769147B63EEC021FFB2FA88B6DD2B597434ECF1AE7B614399831554ED75C1BED1B
                                                                            Malicious:false
                                                                            Preview:Inno Setup Uninstall Log (b)....................................DP Free Video Converter.........................................................................................................DP Free Video Converter.........................................................................................................0..."...C...%.................................................................................................................:.........5.......T....675052.user4C:\Users\user\AppData\Local\DP Free Video Converter.............:.... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:Us

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):691481
                                                                            Entropy (8bit):6.478892626527981
                                                                            Encrypted:false
                                                                            SSDEEP:12288:bNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNvwnsjxGO:xuz2eVrPw7373zHEA6hQz4OWDjtSsjxX
                                                                            MD5:FBB39D2A2C18A46AE884360B8A9663FB
                                                                            SHA1:A97BA99992E12F9BB3B6CA1D0CB1B577ED5013A7
                                                                            SHA-256:BBFAEC780C0BF859F50D4D0E5F802782444538F0DE01FB787D46DC3C57FE14FE
                                                                            SHA-512:8A971DD04D321B2FDA8F66F29EF010D34F68569439322B883D6DEFD7385F808C68558A19BEC46DA52A421EF7832883994C6EA55981717212C1C3555856A1E5B9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                            C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):98626
                                                                            Entropy (8bit):6.478068795827396
                                                                            Encrypted:false
                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1iGYsIphmN.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):680960
                                                                            Entropy (8bit):6.470072182557807
                                                                            Encrypted:false
                                                                            SSDEEP:12288:zNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNvwnsjxG:Juz2eVrPw7373zHEA6hQz4OWDjtSsjxG
                                                                            MD5:BD4BFB94D85C372C939F660E464CFCD5
                                                                            SHA1:8125C075DB48F805BF273BE88331FF1A5C702014
                                                                            SHA-256:4110DE541F3499B4C05AA8D6610551AA0FCEE905CED2060D251F704041E8C78F
                                                                            SHA-512:DA6C8A136448ED251AE064E3795DEBB5A2A0EA8E16DBE4B45D8A3B863AF2A61891C6941CA4CB3FEC346E72F9A082B93F0578B5C580866C5709F7D768225AB97C
                                                                            Malicious:true
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_RegDLL.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3584
                                                                            Entropy (8bit):4.012434743866195
                                                                            Encrypted:false
                                                                            SSDEEP:48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD
                                                                            MD5:C594B792B9C556EA62A30DE541D2FB03
                                                                            SHA1:69E0207515E913243B94C2D3A116D232FF79AF5F
                                                                            SHA-256:5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E
                                                                            SHA-512:387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L.....%E..................................... ....@..........................@..............................................l ..P....0..8............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_iscrypt.dll

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2560
                                                                            Entropy (8bit):2.8818118453929262
                                                                            Encrypted:false
                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_setup64.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5632
                                                                            Entropy (8bit):4.203889009972449
                                                                            Encrypted:false
                                                                            SSDEEP:48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv
                                                                            MD5:B4604F8CD050D7933012AE4AA98E1796
                                                                            SHA1:36B7D966C7F87860CD6C46096B397AA23933DF8E
                                                                            SHA-256:B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5
                                                                            SHA-512:3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d......E..........#............................@.............................`..............................................................<!.......P..8....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...8....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-OUH2D.tmp\_isetup\_shfoldr.dll

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.998428513690783
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 97.02%
                                                                            • Win32 Executable PowerBASIC/Win 9.x (148305/79) 1.44%
                                                                            • Inno Setup installer (109748/4) 1.06%
                                                                            • InstallShield setup (43055/19) 0.42%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            File name:1iGYsIphmN.exe
                                                                            File size:4'079'665 bytes
                                                                            MD5:b550e3dc4795f15c0bfebd24cb130ce7
                                                                            SHA1:7af5b5727b303d36d3255eda769c1d1bf2c57518
                                                                            SHA256:04768fec909a41d9908a9a1ee4827e2f5debee21445be37c280bc8514c543c7b
                                                                            SHA512:641ccf1c98203b67b80ce754dae545b4b965d427e5825c5c4815daf870c70efae24668c685da3e2fef5dccd069328c30bd90b67e4b3357d52e28512c42bdbb11
                                                                            SSDEEP:98304:M8rOytC3sPj55uOnZtpwOy42bE/cNlZFp6RCBKAJq:tTN5DZtysOE/ovqRsKAA
                                                                            TLSH:AC163346F2928876C2A742B85820E149866F7AA137BEF11CB5FCBBDD1F7B520050DF46
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                            File Icon

                                                                            Icon Hash:2d2e3797b32b2b99

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x409a54
                                                                            Entrypoint Section:CODE
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:1
                                                                            OS Version Minor:0
                                                                            File Version Major:1
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:1
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFC4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            xor eax, eax
                                                                            mov dword ptr [ebp-10h], eax
                                                                            mov dword ptr [ebp-24h], eax
                                                                            call 00007F72B4619C47h
                                                                            call 00007F72B461AE4Eh
                                                                            call 00007F72B461D079h
                                                                            call 00007F72B461D0C0h
                                                                            call 00007F72B461F8E7h
                                                                            call 00007F72B461FA4Eh
                                                                            xor eax, eax
                                                                            push ebp
                                                                            push 0040A102h
                                                                            push dword ptr fs:[eax]
                                                                            mov dword ptr fs:[eax], esp
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A0CBh
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            mov eax, dword ptr [0040C014h]
                                                                            call 00007F72B4620470h
                                                                            call 00007F72B461FFDBh
                                                                            lea edx, dword ptr [ebp-10h]
                                                                            xor eax, eax
                                                                            call 00007F72B461D685h
                                                                            mov edx, dword ptr [ebp-10h]
                                                                            mov eax, 0040CDE4h
                                                                            call 00007F72B4619CF8h
                                                                            push 00000002h
                                                                            push 00000000h
                                                                            push 00000001h
                                                                            mov ecx, dword ptr [0040CDE4h]
                                                                            mov dl, 01h
                                                                            mov eax, 004072A4h
                                                                            call 00007F72B461DEF0h
                                                                            mov dword ptr [0040CDE8h], eax
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A083h
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            call 00007F72B46204E0h
                                                                            mov dword ptr [0040CDF0h], eax
                                                                            mov eax, dword ptr [0040CDF0h]
                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                            jne 00007F72B462061Ah
                                                                            mov eax, dword ptr [0040CDF0h]
                                                                            mov edx, 00000028h
                                                                            call 00007F72B461E2F1h
                                                                            mov edx, dword ptr [0040CDF0h]
                                                                            cmp eax, dword ptr [edx+00h]

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2a00.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            CODE0x10000x916c0x9200f9c9dd3f4dceede0add0e7309253e897False0.6143247003424658data6.5647212410937765IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            DATA0xb0000x24c0x4004a56e30ca4646e6369d96abeacb0e6f0False0.306640625data2.7335120306674594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x110000x2a000x2a00bad8e412e74ae5a33115c6ed460fd942False0.3248697916666667data4.422809077256365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                            RT_STRING0x12e440x68data0.75
                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                            RT_RCDATA0x130100x2cdata1.1590909090909092
                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                            RT_VERSION0x1307c0x3ccdataEnglishUnited States0.32407407407407407
                                                                            RT_MANIFEST0x134480x47eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4330434782608696

                                                                            Imports

                                                                            DLLImport
                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                            user32.dllMessageBoxA
                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                            comctl32.dllInitCommonControls
                                                                            advapi32.dllAdjustTokenPrivileges

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            DutchNetherlands
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-10-24T04:32:54.689900+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:54.689900+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:55.123047+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:55.123047+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:58.301659+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:58.301659+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:58.724173+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:58.724173+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:59.144205+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:59.144205+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:59.887916+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:32:59.887916+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:33:00.750319+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:33:00.750319+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                            2024-10-24T04:33:01.802299+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449756185.208.158.20280TCP
                                                                            2024-10-24T04:33:01.802299+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449756185.208.158.20280TCP
                                                                            2024-10-24T04:33:02.230901+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449756185.208.158.20280TCP
                                                                            2024-10-24T04:33:02.230901+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449756185.208.158.20280TCP
                                                                            2024-10-24T04:33:03.272506+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449767185.208.158.20280TCP
                                                                            2024-10-24T04:33:03.272506+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449767185.208.158.20280TCP
                                                                            2024-10-24T04:33:03.681357+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449767185.208.158.20280TCP
                                                                            2024-10-24T04:33:03.681357+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449767185.208.158.20280TCP
                                                                            2024-10-24T04:33:04.710407+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449777185.208.158.20280TCP
                                                                            2024-10-24T04:33:04.710407+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449777185.208.158.20280TCP
                                                                            2024-10-24T04:33:05.771702+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449781185.208.158.20280TCP
                                                                            2024-10-24T04:33:05.771702+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449781185.208.158.20280TCP
                                                                            2024-10-24T04:33:06.202187+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449781185.208.158.20280TCP
                                                                            2024-10-24T04:33:06.202187+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449781185.208.158.20280TCP
                                                                            2024-10-24T04:33:07.237550+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449790185.208.158.20280TCP
                                                                            2024-10-24T04:33:07.237550+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449790185.208.158.20280TCP
                                                                            2024-10-24T04:33:07.652069+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449790185.208.158.20280TCP
                                                                            2024-10-24T04:33:07.652069+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449790185.208.158.20280TCP
                                                                            2024-10-24T04:33:08.693574+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449801185.208.158.20280TCP
                                                                            2024-10-24T04:33:08.693574+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449801185.208.158.20280TCP
                                                                            2024-10-24T04:33:09.102719+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449801185.208.158.20280TCP
                                                                            2024-10-24T04:33:09.102719+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449801185.208.158.20280TCP
                                                                            2024-10-24T04:33:10.214263+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449807185.208.158.20280TCP
                                                                            2024-10-24T04:33:10.214263+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449807185.208.158.20280TCP
                                                                            2024-10-24T04:33:11.254590+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449817185.208.158.20280TCP
                                                                            2024-10-24T04:33:11.254590+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449817185.208.158.20280TCP
                                                                            2024-10-24T04:33:11.667859+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449817185.208.158.20280TCP
                                                                            2024-10-24T04:33:11.667859+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449817185.208.158.20280TCP
                                                                            2024-10-24T04:33:12.836205+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449823185.208.158.20280TCP
                                                                            2024-10-24T04:33:12.836205+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449823185.208.158.20280TCP
                                                                            2024-10-24T04:33:13.264722+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449823185.208.158.20280TCP
                                                                            2024-10-24T04:33:13.264722+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449823185.208.158.20280TCP
                                                                            2024-10-24T04:33:14.304086+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449834185.208.158.20280TCP
                                                                            2024-10-24T04:33:14.304086+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449834185.208.158.20280TCP
                                                                            2024-10-24T04:33:15.697818+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449840185.208.158.20280TCP
                                                                            2024-10-24T04:33:15.697818+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449840185.208.158.20280TCP
                                                                            2024-10-24T04:33:16.730395+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449851185.208.158.20280TCP
                                                                            2024-10-24T04:33:16.730395+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449851185.208.158.20280TCP
                                                                            2024-10-24T04:33:17.779239+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449857185.208.158.20280TCP
                                                                            2024-10-24T04:33:17.779239+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449857185.208.158.20280TCP
                                                                            2024-10-24T04:33:18.822413+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449863185.208.158.20280TCP
                                                                            2024-10-24T04:33:18.822413+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449863185.208.158.20280TCP
                                                                            2024-10-24T04:33:19.855601+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449869185.208.158.20280TCP
                                                                            2024-10-24T04:33:19.855601+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449869185.208.158.20280TCP
                                                                            2024-10-24T04:33:20.890687+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449875185.208.158.20280TCP
                                                                            2024-10-24T04:33:20.890687+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449875185.208.158.20280TCP
                                                                            2024-10-24T04:33:21.915638+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449882185.208.158.20280TCP
                                                                            2024-10-24T04:33:21.915638+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449882185.208.158.20280TCP
                                                                            2024-10-24T04:33:22.969091+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449892185.208.158.20280TCP
                                                                            2024-10-24T04:33:22.969091+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449892185.208.158.20280TCP
                                                                            2024-10-24T04:33:24.006721+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449898185.208.158.20280TCP
                                                                            2024-10-24T04:33:24.006721+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449898185.208.158.20280TCP
                                                                            2024-10-24T04:33:25.037051+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449904185.208.158.20280TCP
                                                                            2024-10-24T04:33:25.037051+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449904185.208.158.20280TCP
                                                                            2024-10-24T04:33:25.451765+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449904185.208.158.20280TCP
                                                                            2024-10-24T04:33:25.451765+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449904185.208.158.20280TCP
                                                                            2024-10-24T04:33:26.480810+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449915185.208.158.20280TCP
                                                                            2024-10-24T04:33:26.480810+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449915185.208.158.20280TCP
                                                                            2024-10-24T04:33:27.515891+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449921185.208.158.20280TCP
                                                                            2024-10-24T04:33:27.515891+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449921185.208.158.20280TCP
                                                                            2024-10-24T04:33:28.559515+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449927185.208.158.20280TCP
                                                                            2024-10-24T04:33:28.559515+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449927185.208.158.20280TCP
                                                                            2024-10-24T04:33:29.601621+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449933185.208.158.20280TCP
                                                                            2024-10-24T04:33:29.601621+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449933185.208.158.20280TCP
                                                                            2024-10-24T04:33:30.010526+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449933185.208.158.20280TCP
                                                                            2024-10-24T04:33:30.010526+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449933185.208.158.20280TCP
                                                                            2024-10-24T04:33:31.041632+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449944185.208.158.20280TCP
                                                                            2024-10-24T04:33:31.041632+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449944185.208.158.20280TCP
                                                                            2024-10-24T04:33:32.095799+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449950185.208.158.20280TCP
                                                                            2024-10-24T04:33:32.095799+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449950185.208.158.20280TCP
                                                                            2024-10-24T04:33:33.140738+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449956185.208.158.20280TCP
                                                                            2024-10-24T04:33:33.140738+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449956185.208.158.20280TCP
                                                                            2024-10-24T04:33:34.153707+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449963185.208.158.20280TCP
                                                                            2024-10-24T04:33:34.153707+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449963185.208.158.20280TCP
                                                                            2024-10-24T04:33:35.188733+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449971185.208.158.20280TCP
                                                                            2024-10-24T04:33:35.188733+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449971185.208.158.20280TCP
                                                                            2024-10-24T04:33:36.218532+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449978185.208.158.20280TCP
                                                                            2024-10-24T04:33:36.218532+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449978185.208.158.20280TCP
                                                                            2024-10-24T04:33:37.248405+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449984185.208.158.20280TCP
                                                                            2024-10-24T04:33:37.248405+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449984185.208.158.20280TCP
                                                                            2024-10-24T04:33:38.296537+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449991185.208.158.20280TCP
                                                                            2024-10-24T04:33:38.296537+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449991185.208.158.20280TCP
                                                                            2024-10-24T04:33:39.330327+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449997185.208.158.20280TCP
                                                                            2024-10-24T04:33:39.330327+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449997185.208.158.20280TCP
                                                                            2024-10-24T04:33:40.365498+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450005185.208.158.20280TCP
                                                                            2024-10-24T04:33:40.365498+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450005185.208.158.20280TCP
                                                                            2024-10-24T04:33:40.776078+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450005185.208.158.20280TCP
                                                                            2024-10-24T04:33:40.776078+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450005185.208.158.20280TCP
                                                                            2024-10-24T04:33:41.801042+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450014185.208.158.20280TCP
                                                                            2024-10-24T04:33:41.801042+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450014185.208.158.20280TCP
                                                                            2024-10-24T04:33:42.218444+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450014185.208.158.20280TCP
                                                                            2024-10-24T04:33:42.218444+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450014185.208.158.20280TCP
                                                                            2024-10-24T04:33:43.252301+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450024185.208.158.20280TCP
                                                                            2024-10-24T04:33:43.252301+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450024185.208.158.20280TCP
                                                                            2024-10-24T04:33:44.306630+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450030185.208.158.20280TCP
                                                                            2024-10-24T04:33:44.306630+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450030185.208.158.20280TCP
                                                                            2024-10-24T04:33:45.337480+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450037185.208.158.20280TCP
                                                                            2024-10-24T04:33:45.337480+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450037185.208.158.20280TCP
                                                                            2024-10-24T04:33:46.376962+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450043185.208.158.20280TCP
                                                                            2024-10-24T04:33:46.376962+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450043185.208.158.20280TCP
                                                                            2024-10-24T04:33:47.390698+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450044185.208.158.20280TCP
                                                                            2024-10-24T04:33:47.390698+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450044185.208.158.20280TCP
                                                                            2024-10-24T04:33:48.424958+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450045185.208.158.20280TCP
                                                                            2024-10-24T04:33:48.424958+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450045185.208.158.20280TCP
                                                                            2024-10-24T04:33:48.844623+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450045185.208.158.20280TCP
                                                                            2024-10-24T04:33:48.844623+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450045185.208.158.20280TCP
                                                                            2024-10-24T04:33:49.893499+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450046185.208.158.20280TCP
                                                                            2024-10-24T04:33:49.893499+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450046185.208.158.20280TCP
                                                                            2024-10-24T04:33:50.326568+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450046185.208.158.20280TCP
                                                                            2024-10-24T04:33:50.326568+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450046185.208.158.20280TCP
                                                                            2024-10-24T04:33:51.367695+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450047185.208.158.20280TCP
                                                                            2024-10-24T04:33:51.367695+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450047185.208.158.20280TCP
                                                                            2024-10-24T04:33:52.407841+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450048185.208.158.20280TCP
                                                                            2024-10-24T04:33:52.407841+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450048185.208.158.20280TCP
                                                                            2024-10-24T04:33:53.621212+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450049185.208.158.20280TCP
                                                                            2024-10-24T04:33:53.621212+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450049185.208.158.20280TCP
                                                                            2024-10-24T04:33:54.652410+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450050185.208.158.20280TCP
                                                                            2024-10-24T04:33:54.652410+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450050185.208.158.20280TCP
                                                                            2024-10-24T04:33:55.683403+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450051185.208.158.20280TCP
                                                                            2024-10-24T04:33:55.683403+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450051185.208.158.20280TCP
                                                                            2024-10-24T04:33:56.715613+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450052185.208.158.20280TCP
                                                                            2024-10-24T04:33:56.715613+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450052185.208.158.20280TCP
                                                                            2024-10-24T04:33:57.779161+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450053185.208.158.20280TCP
                                                                            2024-10-24T04:33:57.779161+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450053185.208.158.20280TCP
                                                                            2024-10-24T04:33:58.814520+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450054185.208.158.20280TCP
                                                                            2024-10-24T04:33:58.814520+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450054185.208.158.20280TCP
                                                                            2024-10-24T04:33:59.858763+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450055185.208.158.20280TCP
                                                                            2024-10-24T04:33:59.858763+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450055185.208.158.20280TCP
                                                                            2024-10-24T04:34:00.891135+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450056185.208.158.20280TCP
                                                                            2024-10-24T04:34:00.891135+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450056185.208.158.20280TCP
                                                                            2024-10-24T04:34:01.940395+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450057185.208.158.20280TCP
                                                                            2024-10-24T04:34:01.940395+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450057185.208.158.20280TCP
                                                                            2024-10-24T04:34:02.987629+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450058185.208.158.20280TCP
                                                                            2024-10-24T04:34:02.987629+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450058185.208.158.20280TCP
                                                                            2024-10-24T04:34:04.035035+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450059185.208.158.20280TCP
                                                                            2024-10-24T04:34:04.035035+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450059185.208.158.20280TCP
                                                                            2024-10-24T04:34:05.238295+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.450060185.208.158.20280TCP
                                                                            2024-10-24T04:34:05.238295+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.450060185.208.158.20280TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 24, 2024 04:32:53.768125057 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:53.773675919 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:53.773812056 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:53.773935080 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:53.779289007 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:54.689714909 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:54.689899921 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:54.804832935 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:54.813059092 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:55.122922897 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:55.122946024 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:55.123047113 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:55.124281883 CEST497382023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:55.129622936 CEST20234973889.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:55.129714012 CEST497382023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:55.129811049 CEST497382023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:55.135061979 CEST20234973889.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:55.135119915 CEST497382023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:55.140424967 CEST20234973889.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:55.954579115 CEST20234973889.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:56.003031015 CEST497382023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:57.960613012 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:57.967148066 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:58.301464081 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:58.301659107 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:58.413924932 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:58.419281960 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:58.724085093 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:58.724173069 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:58.725373983 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:58.730739117 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:58.730835915 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:58.730916023 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:58.730979919 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:58.736268044 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:58.780205965 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:58.835378885 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:58.840935946 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:59.144109011 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:59.144205093 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:59.257745028 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:59.487529993 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:32:59.585534096 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:59.585762024 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:59.585758924 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:59.585812092 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:59.585829973 CEST497502023192.168.2.489.105.201.183
                                                                            Oct 24, 2024 04:32:59.585841894 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:59.592981100 CEST20234975089.105.201.183192.168.2.4
                                                                            Oct 24, 2024 04:32:59.887794018 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:32:59.887916088 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.132597923 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.262027979 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:00.750226021 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:00.750319004 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.866564989 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.866957903 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.873569012 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:00.873588085 CEST8049736185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:00.873673916 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.873713017 CEST4973680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.873867035 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:00.880392075 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:01.802083015 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:01.802299023 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:01.916815996 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:01.923360109 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:02.230781078 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:02.230901003 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.363267899 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.363818884 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.369379044 CEST8049756185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:02.369421959 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:02.369431019 CEST4975680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.369476080 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.369805098 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:02.375104904 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.272422075 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.272505999 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.381259918 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.386744976 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.681281090 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.681356907 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.802889109 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.803181887 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.808598042 CEST8049777185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.808676958 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.808811903 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.808872938 CEST8049767185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:03.808923006 CEST4976780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:03.814158916 CEST8049777185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:04.708807945 CEST8049777185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:04.710407019 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.834511042 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.834779978 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.840128899 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:04.840317965 CEST8049777185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:04.840403080 CEST4977780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.840409994 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.840502977 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:04.845817089 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:05.771502018 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:05.771702051 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:05.880839109 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:05.886549950 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:06.202121973 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:06.202187061 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.318434954 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.318758965 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.324208975 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:06.324254036 CEST8049781185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:06.324354887 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.324573994 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.324574947 CEST4978180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:06.329943895 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.237375975 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.237550020 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.349806070 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.355245113 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.651724100 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.652069092 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.772656918 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.772960901 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.779565096 CEST8049790185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.779586077 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:07.779692888 CEST4979080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.779743910 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.780034065 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:07.785492897 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:08.693469048 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:08.693573952 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:08.803257942 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:08.808665991 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:09.102622986 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:09.102719069 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.302740097 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.303047895 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.308396101 CEST8049807185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:09.308423996 CEST8049801185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:09.308459997 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.308482885 CEST4980180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.323375940 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:09.328880072 CEST8049807185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:10.214193106 CEST8049807185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:10.214262962 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.334219933 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.334549904 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.339950085 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:10.340030909 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.340114117 CEST8049807185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:10.340158939 CEST4980780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.340296030 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:10.345556974 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.254513979 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.254590034 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.366801023 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.372318983 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.667706966 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.667859077 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.896927118 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.897243023 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.902729988 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.902759075 CEST8049817185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:11.902818918 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.902858973 CEST4981780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.906766891 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:11.912149906 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:12.836093903 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:12.836205006 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:12.943944931 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:12.949280024 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:13.264655113 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:13.264722109 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.380830050 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.381145000 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.386528015 CEST8049823185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:13.386559963 CEST8049834185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:13.386610985 CEST4982380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.386648893 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.386790037 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:13.392040968 CEST8049834185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:14.303764105 CEST8049834185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:14.304085970 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.758590937 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.759012938 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.764467001 CEST8049840185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:14.764497042 CEST8049834185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:14.764544964 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.764565945 CEST4983480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.764720917 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:14.770035982 CEST8049840185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:15.697686911 CEST8049840185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:15.697818041 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.818615913 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.818902016 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.824265003 CEST8049851185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:15.824353933 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.824520111 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.824558020 CEST8049840185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:15.824611902 CEST4984080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:15.830037117 CEST8049851185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:16.730034113 CEST8049851185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:16.730395079 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.865155935 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.865387917 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.871439934 CEST8049851185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:16.871459961 CEST8049857185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:16.871530056 CEST4985180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.871562004 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.871814013 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:16.877105951 CEST8049857185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:17.779007912 CEST8049857185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:17.779238939 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.896192074 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.896490097 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.902116060 CEST8049863185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:17.902195930 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.902254105 CEST8049857185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:17.902307034 CEST4985780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.902400017 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:17.907951117 CEST8049863185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:18.818907022 CEST8049863185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:18.822412968 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.943231106 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.943419933 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.949095011 CEST8049869185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:18.949563980 CEST8049863185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:18.949666977 CEST4986380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.949795008 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.949795961 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:18.955228090 CEST8049869185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:19.855519056 CEST8049869185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:19.855601072 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.975950956 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.976370096 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.981833935 CEST8049869185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:19.981875896 CEST8049875185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:19.981905937 CEST4986980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.981946945 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.982052088 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:19.988007069 CEST8049875185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:20.890607119 CEST8049875185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:20.890686989 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.005856991 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.005994081 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.012563944 CEST8049882185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:21.012624979 CEST8049875185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:21.012706995 CEST4987580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.012866974 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.012866974 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:21.018265963 CEST8049882185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:21.915555954 CEST8049882185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:21.915637970 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.037039995 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.037527084 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.043080091 CEST8049892185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:22.043159008 CEST8049882185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:22.043251991 CEST4988280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.043467045 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.043467045 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:22.048901081 CEST8049892185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:22.968756914 CEST8049892185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:22.969090939 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.085665941 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.086056948 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.091684103 CEST8049898185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:23.091866016 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.091996908 CEST8049892185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:23.092099905 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.092225075 CEST4989280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:23.097640991 CEST8049898185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:24.006416082 CEST8049898185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:24.006721020 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.132592916 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.132766962 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.138472080 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:24.138748884 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.138793945 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.138798952 CEST8049898185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:24.138878107 CEST4989880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:24.144191027 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.036854982 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.037050962 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.146487951 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.151921034 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.451591015 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.451765060 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.568778992 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.569139004 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.574565887 CEST8049915185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.574635029 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.574726105 CEST8049904185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:25.574778080 CEST4990480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.574816942 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:25.580142021 CEST8049915185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:26.480740070 CEST8049915185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:26.480809927 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.599257946 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.599528074 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.605011940 CEST8049921185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:26.605104923 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.605223894 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.605242014 CEST8049915185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:26.605293036 CEST4991580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:26.610577106 CEST8049921185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:27.515705109 CEST8049921185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:27.515891075 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.631045103 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.631345034 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.637059927 CEST8049927185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:27.637162924 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.637298107 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.637407064 CEST8049921185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:27.637489080 CEST4992180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:27.642829895 CEST8049927185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:28.559428930 CEST8049927185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:28.559514999 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:28.677443027 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:28.677704096 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:28.683140993 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:28.683202028 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:28.683373928 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:28.688689947 CEST8049927185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:28.688724041 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:28.688754082 CEST4992780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:29.601541996 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:29.601620913 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:29.708830118 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:29.714389086 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:30.010330915 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:30.010525942 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.132225037 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.132518053 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.137918949 CEST8049944185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:30.138005972 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.138060093 CEST8049933185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:30.138083935 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.138129950 CEST4993380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:30.143587112 CEST8049944185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:31.041526079 CEST8049944185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:31.041631937 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.161794901 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.162234068 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.167607069 CEST8049950185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:31.167658091 CEST8049944185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:31.167690992 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.167706966 CEST4994480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.167865038 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:31.173137903 CEST8049950185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:32.095658064 CEST8049950185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:32.095798969 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.208786964 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.209094048 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.214539051 CEST8049956185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:32.214631081 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.214682102 CEST8049950185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:32.214741945 CEST4995080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.214844942 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:32.220118999 CEST8049956185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:33.140543938 CEST8049956185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:33.140738010 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.255717993 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.255947113 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.261383057 CEST8049963185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:33.261445999 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.261502981 CEST8049956185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:33.261528969 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.261553049 CEST4995680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:33.267018080 CEST8049963185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:34.153618097 CEST8049963185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:34.153707027 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.272183895 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.272427082 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.277822018 CEST8049971185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:34.277913094 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.277924061 CEST8049963185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:34.277976990 CEST4996380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.278100014 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:34.283417940 CEST8049971185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:35.188620090 CEST8049971185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:35.188733101 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.303929090 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.304310083 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.309874058 CEST8049978185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:35.309916019 CEST8049971185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:35.309956074 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.310025930 CEST4997180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.310137033 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:35.315669060 CEST8049978185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:36.216007948 CEST8049978185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:36.218532085 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.335683107 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.335968971 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.341675043 CEST8049984185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:36.341767073 CEST8049978185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:36.341932058 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.342017889 CEST4997880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.342098951 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:36.347882986 CEST8049984185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:37.248198032 CEST8049984185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:37.248404980 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.366677046 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.367052078 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.372767925 CEST8049991185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:37.372867107 CEST8049984185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:37.372965097 CEST4998480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.373039007 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.373378992 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:37.378993988 CEST8049991185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:38.296314955 CEST8049991185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:38.296536922 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.413583994 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.414011955 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.419226885 CEST8049991185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:38.419301987 CEST4999180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.419433117 CEST8049997185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:38.419516087 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.419681072 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:38.425076008 CEST8049997185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:39.330132961 CEST8049997185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:39.330327034 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.444662094 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.444933891 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.450954914 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:39.451003075 CEST8049997185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:39.451168060 CEST4999780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.451220989 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.451271057 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:39.456908941 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.365346909 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.365498066 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.474945068 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.480597019 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.775971889 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.776077986 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.896514893 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.896819115 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.903366089 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.903409004 CEST8050005185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:40.903687000 CEST5000580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.903698921 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.904716015 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:40.910018921 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:41.800928116 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:41.801042080 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:41.915819883 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:41.921436071 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:42.218097925 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:42.218444109 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.335068941 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.335242987 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.341473103 CEST8050014185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:42.341665030 CEST8050024185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:42.341890097 CEST5001480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.341962099 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.341962099 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:42.347590923 CEST8050024185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:43.252218008 CEST8050024185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:43.252300978 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.365345955 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.365772009 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.371339083 CEST8050024185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:43.371380091 CEST8050030185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:43.371460915 CEST5002480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.371529102 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.371707916 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:43.377111912 CEST8050030185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:44.302874088 CEST8050030185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:44.306629896 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.427501917 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.427741051 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.433357000 CEST8050037185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:44.433482885 CEST8050030185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:44.433501005 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.433552980 CEST5003080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.433716059 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:44.439073086 CEST8050037185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:45.336340904 CEST8050037185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:45.337480068 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.459357977 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.459830999 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.465413094 CEST8050037185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:45.465559959 CEST8050043185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:45.465778112 CEST5003780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.465821981 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.465822935 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:45.471851110 CEST8050043185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:46.376806974 CEST8050043185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:46.376961946 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.489877939 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.490176916 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.495656013 CEST8050044185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:46.495877981 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.495909929 CEST8050043185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:46.496119976 CEST5004380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.496520042 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:46.501959085 CEST8050044185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:47.390480042 CEST8050044185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:47.390697956 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.505947113 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.506324053 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.511672974 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:47.511748075 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.511791945 CEST8050044185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:47.511851072 CEST5004480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.511936903 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:47.517935991 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.424745083 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.424957991 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.538196087 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.545015097 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.844330072 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.844623089 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.961220026 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.961600065 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.967164993 CEST8050045185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.967256069 CEST5004580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.967272043 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:48.967360020 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.967528105 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:48.972799063 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:49.893418074 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:49.893498898 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.005810976 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.011548042 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:50.326457024 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:50.326567888 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.443205118 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.443741083 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.449215889 CEST8050046185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:50.449237108 CEST8050047185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:50.449285030 CEST5004680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.449459076 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.449498892 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:50.455024958 CEST8050047185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:51.367429018 CEST8050047185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:51.367695093 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.491647005 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.491867065 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.497468948 CEST8050048185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:51.497740030 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.497803926 CEST8050047185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:51.497809887 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.497857094 CEST5004780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:51.503304958 CEST8050048185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:52.407762051 CEST8050048185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:52.407840967 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.523026943 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.523400068 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.528820038 CEST8050049185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:52.528904915 CEST8050048185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:52.528942108 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.528984070 CEST5004880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.529237986 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:52.534778118 CEST8050049185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:53.619294882 CEST8050049185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:53.621212006 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.741795063 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.742141008 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.748249054 CEST8050049185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:53.748295069 CEST8050050185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:53.748508930 CEST5004980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.748543024 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.748616934 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:53.754426956 CEST8050050185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:54.652301073 CEST8050050185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:54.652410030 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.773425102 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.773701906 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.779539108 CEST8050051185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:54.779556990 CEST8050050185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:54.779634953 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.779660940 CEST5005080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.779867887 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:54.788007021 CEST8050051185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:55.682976961 CEST8050051185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:55.683403015 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.802733898 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.802917004 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.808500051 CEST8050052185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:55.808599949 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.808741093 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.809108019 CEST8050051185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:55.809278965 CEST5005180192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:55.814202070 CEST8050052185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:56.715542078 CEST8050052185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:56.715612888 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.838335991 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.838733912 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.844223022 CEST8050053185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:56.844245911 CEST8050052185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:56.844302893 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.844326973 CEST5005280192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.844530106 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:56.849805117 CEST8050053185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:57.779038906 CEST8050053185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:57.779160976 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.900264978 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.900583029 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.906294107 CEST8050053185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:57.906344891 CEST8050054185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:57.906557083 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.906608105 CEST5005380192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.906759977 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:57.912208080 CEST8050054185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:58.809578896 CEST8050054185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:58.814519882 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.931745052 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.932113886 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.937663078 CEST8050055185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:58.938112020 CEST8050054185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:58.938232899 CEST5005480192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.938256979 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.938457966 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:58.943799973 CEST8050055185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:59.858563900 CEST8050055185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:59.858762980 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.977968931 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.978298903 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.983696938 CEST8050056185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:59.983731031 CEST8050055185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:33:59.983773947 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.983792067 CEST5005580192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.984005928 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:33:59.989332914 CEST8050056185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:00.891052008 CEST8050056185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:00.891134977 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.007488966 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.007751942 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.013298035 CEST8050057185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:01.013375044 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.013495922 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.013562918 CEST8050056185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:01.018409014 CEST5005680192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:01.019174099 CEST8050057185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:01.940321922 CEST8050057185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:01.940395117 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.055073023 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.055493116 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.060924053 CEST8050057185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:02.060941935 CEST8050058185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:02.060969114 CEST5005780192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.061018944 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.061240911 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:02.066641092 CEST8050058185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:02.987421989 CEST8050058185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:02.987628937 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.119924068 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.120457888 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.125885963 CEST8050058185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:03.125905037 CEST8050059185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:03.125946999 CEST5005880192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.125977993 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.130187988 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:03.135704041 CEST8050059185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:04.034970045 CEST8050059185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:04.035034895 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.148730993 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.149215937 CEST5006080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.154633045 CEST8050059185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:04.154650927 CEST8050060185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:04.154906034 CEST5005980192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.154908895 CEST5006080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.157686949 CEST5006080192.168.2.4185.208.158.202
                                                                            Oct 24, 2024 04:34:04.163017988 CEST8050060185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:05.238210917 CEST8050060185.208.158.202192.168.2.4
                                                                            Oct 24, 2024 04:34:05.238295078 CEST5006080192.168.2.4185.208.158.202

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 24, 2024 04:32:53.480036020 CEST6309953192.168.2.4141.98.234.31
                                                                            Oct 24, 2024 04:32:53.717657089 CEST5363099141.98.234.31192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Oct 24, 2024 04:32:53.480036020 CEST192.168.2.4141.98.234.310x60f8Standard query (0)dluduxe.infoA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Oct 24, 2024 04:32:53.717657089 CEST141.98.234.31192.168.2.40x60f8No error (0)dluduxe.info185.208.158.202A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • dluduxe.info

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449736185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:32:53.773935080 CEST319OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:54.689714909 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:32:54.804832935 CEST319OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c3e894923b HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:55.122922897 CEST1236INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 34 32 36 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 62 37 36 35 62 62 33 37 34 66 30 36 37 62 37 33 32 35 36 63 30 65 30 64 35 30 65 63 61 34 32 63 64 37 64 62 30 31 62 66 64 33 32 38 38 33 38 65 33 31 36 62 38 36 37 63 37 35 61 61 35 65 61 34 65 65 37 35 62 37 66 34 33 65 63 32 66 36 36 39 34 33 64 37 39 38 63 66 66 31 32 64 65 65 64 39 30 39 39 32 35 63 39 36 61 39 63 31 33 64 38 35 30 38 66 32 31 62 30 35 63 61 64 65 62 35 65 33 66 65 66 37 61 64 36 65 33 37 38 62 39 38 62 65 35 64 34 34 61 65 36 33 65 63 32 31 30 33 30 34 33 35 38 32 31 66 64 32 37 37 33 30 63 37 38 62 38 65 63 38 38 66 34 38 37 32 64 35 31 65 36 35 37 37 64 32 34 65 30 32 62 35 64 66 66 65 32 65 35 38 61 65 34 33 61 37 31 61 35 65 64 34 37 39 32 38 66 66 61 37 65 32 66 30 [TRUNCATED]
                                                                            Data Ascii: 42667b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592deb765bb374f067b73256c0e0d50eca42cd7db01bfd328838e316b867c75aa5ea4ee75b7f43ec2f66943d798cff12deed909925c96a9c13d8508f21b05cadeb5e3fef7ad6e378b98be5d44ae63ec21030435821fd27730c78b8ec88f4872d51e6577d24e02b5dffe2e58ae43a71a5ed47928ffa7e2f0dbf6dee86c3b47bd76a0f2d3164ac5cc6dfb33b2eb8d70fbe00a7a033becfce30742a05d239ee0defd9b71946db211ac25fdef363962cb29240a3e4cea9c4323dbc70b7e90a9ba0b77253a299f521a4e0848316f315ea5e8a486ccfb5cafcd14879a099e724ae71801135a823de3cdd9f00c058ab30021b4fcbd26a423951668ffe8e2a2c6b4b15d1c5b70e15fac8baead53e7c7be73f8ec3020a5e9fafc41d494cca7f7653394fe3d1d2c7f8c84d9e3c6e50ff7a359c29b2ca997a8a54c087211b037f9ff780ee1811a72f82d2177303d63fcfea900e712b769b2b03ee554c7f67864cd1b1a1f932a0cfc31153932ccd415c8cb2d765d95033b276e02825ad67824a1ccca1aeaf6fa7c0079b4ac8dfce43b312b345ebacb76d91ab2eaa24360d29c5827c02e8a4cc5370ea2832291418df25ab4fa0019345dcbece9055f04b8a80b0c03d5f97697fcbdc019608590f598 [TRUNCATED]
                                                                            Oct 24, 2024 04:32:55.122946024 CEST34INData Raw: 39 61 39 61 36 31 64 63 65 65 30 37 37 62 37 65 34 65 39 66 64 31 35 32 35 34 30 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 9a9a61dcee077b7e4e9fd1525400
                                                                            Oct 24, 2024 04:32:57.960613012 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:58.301464081 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:32:58.413924932 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:58.724085093 CEST1126INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 33 39 36 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 63 38 66 63 66 66 35 31 65 31 39 65 62 62 64 35 35 65 39 30 33 63 61 66 66 38 64 65 37 39 35 38 37 34 64 38 30 34 37 64 31 65 34 64 63 32 61 33 30 61 31 35 32 66 66 64 36 63 64 30 37 32 39 65 39 37 64 35 39 61 64 37 35 66 36 36 63 61 38 33 32 35 33 64 65 66 63 64 33 30 62 64 65 34 31 63 38 37 65 61 65 31 34 66 61 33 39 38 66 32 36 65 34 31 30 61 64 36 30 63 30 34 64 62 39 65 32 35 30 65 66 35 62 37 62 35 64 65 64 32 34 36 33 39 66 33 61 36 37 38 65 66 66 31 61 63 36 65 61 38 62 39 38 33 61 64 33 36 64 39 37 31 32 63 36 35 31 38 66 32 66 62 63 35 38 62 33 65 39 35 66 32 61 65 62 37 65 63 63 66 63 37 39 62 31 39 31 65 64 64 33 35 34 65 32 33 34 63 38 31 36 33 35 35 64 35 31 32 31 65 37 32 64 36 63 30 61 36 33 62 38 66 32 38 35 66 38 39 38 32 62 35 30 65 63 35 39 37 62 32 31 66 65 32 31 35 35 66 35 65 32 65 35 38 63 66 38 32 30 37 61 61 32 65 64 35 39 39 30 38 35 66 64 37 30 32 32 31 [TRUNCATED]
                                                                            Data Ascii: 39667b69c953804b26b565fe95b321bd19a55fc8fcff51e19ebbd55e903caff8de795874d8047d1e4dc2a30a152ffd6cd0729e97d59ad75f66ca83253defcd30bde41c87eae14fa398f26e410ad60c04db9e250ef5b7b5ded24639f3a678eff1ac6ea8b983ad36d9712c6518f2fbc58b3e95f2aeb7eccfc79b191edd354e234c816355d5121e72d6c0a63b8f285f8982b50ec597b21fe2155f5e2e58cf8207aa2ed599085fd702213bd68e499c2b77bd0630c36386db25ec8d7a8392eb1c80bbc1eb8a42cb9c1c22e762204d730eb13e5d0b70551d33f1ada54defa7d9c25b39c5aa2e2d0a3c13221a079bde4149aa5b56d58a386fe25adfe858d1af315e45d9e4d69cbabc3fedb4065a199ee31ab71970831b524d326df9c08c15eb531041750cdd6705e3e527b80f490282f694511cfc2b11b1bffc8bae9df2a7e7de62184c60001459daac4084d43dc63775a2d4ae3cfd3ccf8c0569c3c6746fd6235842fa8c895618b57c986211c0b6196fe9cf41e0cb82e8bd90c7206de3dcdf491087d3479982b00e85f587d65984dd9bda9e634a3d1c91956932ccd4a488fb6d17bd35633bd6de22d2db0659e561ccbbaa5ab68b9c20e9444d5decb4ba611bf46ebacb46485a82db4263f0f37c783480
                                                                            Oct 24, 2024 04:32:58.835378885 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:59.144109011 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:32:59.257745028 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:59.487529993 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:32:59.887794018 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:32:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:00.132597923 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:00.750226021 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449756185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:00.873867035 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:01.802083015 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:01.916815996 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:02.230781078 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:02 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.449767185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:02.369805098 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:03.272422075 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:03.381259918 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:03.681281090 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.449777185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:03.808811903 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:04.708807945 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.449781185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:04.840502977 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:05.771502018 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:05 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:05.880839109 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:06.202121973 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:06 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.449790185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:06.324573994 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:07.237375975 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:07 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:07.349806070 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:07.651724100 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:07 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.449801185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:07.780034065 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:08.693469048 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:08.803257942 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:09.102622986 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.449807185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:09.323375940 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:10.214193106 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:10 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.449817185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:10.340296030 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:11.254513979 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:11 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:11.366801023 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:11.667706966 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:11 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.449823185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:11.906766891 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:12.836093903 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:12 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:12.943944931 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:13.264655113 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:13 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.449834185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:13.386790037 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:14.303764105 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:14 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.449840185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:14.764720917 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:15.697686911 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.449851185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:15.824520111 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:16.730034113 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:16 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.449857185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:16.871814013 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:17.779007912 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:17 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.449863185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:17.902400017 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:18.818907022 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:18 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.449869185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:18.949795961 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:19.855519056 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:19 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.449875185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:19.982052088 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:20.890607119 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:20 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.449882185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:21.012866974 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:21.915555954 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:21 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.449892185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:22.043467045 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:22.968756914 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.449898185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:23.092099905 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:24.006416082 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:23 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.449904185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:24.138793945 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:25.036854982 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:24 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:25.146487951 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:25.451591015 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:25 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.449915185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:25.574816942 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:26.480740070 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.449921185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:26.605223894 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:27.515705109 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.449927185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:27.637298107 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:28.559428930 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:28 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.449933185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:28.683373928 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:29.601541996 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:29 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:29.708830118 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:30.010330915 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:29 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            25192.168.2.449944185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:30.138083935 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:31.041526079 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:30 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            26192.168.2.449950185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:31.167865038 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:32.095658064 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:31 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            27192.168.2.449956185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:32.214844942 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:33.140543938 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            28192.168.2.449963185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:33.261528969 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:34.153618097 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:34 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            29192.168.2.449971185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:34.278100014 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:35.188620090 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:35 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            30192.168.2.449978185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:35.310137033 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:36.216007948 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:36 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            31192.168.2.449984185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:36.342098951 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:37.248198032 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:37 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            32192.168.2.449991185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:37.373378992 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:38.296314955 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:38 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            33192.168.2.449997185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:38.419681072 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:39.330132961 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:39 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            34192.168.2.450005185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:39.451271057 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:40.365346909 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:40 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:40.474945068 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:40.775971889 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:40 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            35192.168.2.450014185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:40.904716015 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:41.800928116 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:41 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:41.915819883 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:42.218097925 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:42 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            36192.168.2.450024185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:42.341962099 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:43.252218008 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:43 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            37192.168.2.450030185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:43.371707916 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:44.302874088 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:44 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            38192.168.2.450037185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:44.433716059 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:45.336340904 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:45 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            39192.168.2.450043185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:45.465822935 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:46.376806974 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:46 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            40192.168.2.450044185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:46.496520042 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:47.390480042 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:47 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            41192.168.2.450045185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:47.511936903 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:48.424745083 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:48.538196087 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:48.844330072 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            42192.168.2.450046185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:48.967528105 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:49.893418074 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:49 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 24, 2024 04:33:50.005810976 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:50.326457024 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:50 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            43192.168.2.450047185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:50.449498892 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:51.367429018 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            44192.168.2.450048185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:51.497809887 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:52.407762051 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:52 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            45192.168.2.450049185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:52.529237986 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:53.619294882 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:53 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            46192.168.2.450050185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:53.748616934 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:54.652301073 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            47192.168.2.450051185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:54.779867887 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:55.682976961 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:55 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            48192.168.2.450052185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:55.808741093 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:56.715542078 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            49192.168.2.450053185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:56.844530106 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:57.779038906 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            50192.168.2.450054185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:57.906759977 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:58.809578896 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            51192.168.2.450055185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:58.938457966 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:33:59.858563900 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:33:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            52192.168.2.450056185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:33:59.984005928 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:34:00.891052008 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:34:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            53192.168.2.450057185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:34:01.013495922 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:34:01.940321922 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:34:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            54192.168.2.450058185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:34:02.061240911 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:34:02.987421989 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:34:02 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            55192.168.2.450059185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:34:03.130187988 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:34:04.034970045 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:34:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            56192.168.2.450060185.208.158.202807440C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 24, 2024 04:34:04.157686949 CEST327OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec91854a875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d38ca6e9e16 HTTP/1.1
                                                                            Host: dluduxe.info
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 24, 2024 04:34:05.238210917 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Thu, 24 Oct 2024 02:34:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:22:31:58
                                                                            Start date:23/10/2024
                                                                            Path:C:\Users\user\Desktop\1iGYsIphmN.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\1iGYsIphmN.exe"
                                                                            Imagebase:0x400000
                                                                            File size:4'079'665 bytes
                                                                            MD5 hash:B550E3DC4795F15C0BFEBD24CB130CE7
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:1
                                                                            Start time:22:31:58
                                                                            Start date:23/10/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-92VMD.tmp\1iGYsIphmN.tmp" /SL5="$20470,3807573,53248,C:\Users\user\Desktop\1iGYsIphmN.exe"
                                                                            Imagebase:0x400000
                                                                            File size:680'960 bytes
                                                                            MD5 hash:BD4BFB94D85C372C939F660E464CFCD5
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:2
                                                                            Start time:22:32:00
                                                                            Start date:23/10/2024
                                                                            Path:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i
                                                                            Imagebase:0x400000
                                                                            File size:2'799'616 bytes
                                                                            MD5 hash:3CBD9752E46D8042741DE2DE58F2B0DF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2945690706.00000000026BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:21.4%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:2.4%
                                                                              Total number of Nodes:1511
                                                                              Total number of Limit Nodes:16
                                                                              execution_graph 5574 407544 ReadFile 5575 407564 5574->5575 5576 40757b 5574->5576 5577 407574 5575->5577 5578 40756a GetLastError 5575->5578 5579 4073a4 21 API calls 5577->5579 5578->5576 5578->5577 5579->5576 6578 402b48 RaiseException 6579 40294a 6580 402952 6579->6580 6581 403554 4 API calls 6580->6581 6582 402967 6580->6582 6581->6580 6583 403f4a 6584 403f53 6583->6584 6585 403f5c 6583->6585 6587 403f07 6584->6587 6588 403f09 6587->6588 6592 403e9c 6588->6592 6593 403154 4 API calls 6588->6593 6599 403f3d 6588->6599 6610 403e9c 6588->6610 6589 403f3c 6589->6585 6591 403ef2 6597 402674 4 API calls 6591->6597 6592->6589 6592->6591 6594 403ea9 6592->6594 6601 403e8e 6592->6601 6593->6588 6595 403ecf 6594->6595 6600 402674 4 API calls 6594->6600 6595->6585 6597->6595 6599->6585 6600->6595 6602 403e4c 6601->6602 6603 403e67 6602->6603 6604 403e62 6602->6604 6605 403e7b 6602->6605 6608 403e78 6603->6608 6609 402674 4 API calls 6603->6609 6606 403cc8 4 API calls 6604->6606 6607 402674 4 API calls 6605->6607 6606->6603 6607->6608 6608->6591 6608->6594 6609->6608 6611 403ed7 6610->6611 6617 403ea9 6610->6617 6612 403ef2 6611->6612 6614 403e8e 4 API calls 6611->6614 6615 402674 4 API calls 6612->6615 6613 403ecf 6613->6588 6616 403ee6 6614->6616 6615->6613 6616->6612 6616->6617 6617->6613 6618 402674 4 API calls 6617->6618 6618->6613 6113 409c4d 6114 409c72 6113->6114 6115 40961c 15 API calls 6114->6115 6118 409c77 6115->6118 6116 409cca 6147 4026c4 GetSystemTime 6116->6147 6118->6116 6122 408c34 4 API calls 6118->6122 6119 409ccf 6120 409188 33 API calls 6119->6120 6121 409cd7 6120->6121 6123 4031e8 4 API calls 6121->6123 6125 409ca6 6122->6125 6124 409ce4 6123->6124 6126 40686c 5 API calls 6124->6126 6127 409cae MessageBoxA 6125->6127 6128 409cf1 6126->6128 6127->6116 6129 409cbb 6127->6129 6130 406608 5 API calls 6128->6130 6131 4057b4 5 API calls 6129->6131 6132 409d01 6130->6132 6131->6116 6133 406594 5 API calls 6132->6133 6134 409d12 6133->6134 6135 403340 4 API calls 6134->6135 6136 409d20 6135->6136 6137 4031e8 4 API calls 6136->6137 6138 409d30 6137->6138 6139 4073f8 23 API calls 6138->6139 6140 409d6f 6139->6140 6141 402594 4 API calls 6140->6141 6142 409d8f 6141->6142 6143 407904 5 API calls 6142->6143 6144 409dd1 6143->6144 6145 407b94 23 API calls 6144->6145 6146 409df8 6145->6146 6147->6119 6148 407052 6149 40703c 6148->6149 6150 403198 4 API calls 6149->6150 6151 407044 6150->6151 6152 403198 4 API calls 6151->6152 6153 40704c 6152->6153 6154 403a52 6155 403a74 6154->6155 6156 403a5a WriteFile 6154->6156 6156->6155 6157 403a78 GetLastError 6156->6157 6157->6155 5248 409a54 5287 4030dc 5248->5287 5250 409a6a 5290 4042e8 5250->5290 5252 409a6f 5293 406518 5252->5293 5256 409a79 5303 408efc GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5256->5303 5265 4031e8 4 API calls 5266 409ac5 5265->5266 5339 4073f8 5266->5339 5273 409b52 5359 4073b8 5273->5359 5274 409b14 5274->5273 5387 4098b4 5274->5387 5276 409b93 5363 407904 5276->5363 5277 409b78 5277->5276 5279 4098b4 4 API calls 5277->5279 5279->5276 5280 409bb8 5373 4089e4 5280->5373 5284 409bf8 5285 4089e4 23 API calls 5284->5285 5286 409c2e 5284->5286 5285->5284 5397 403094 5287->5397 5289 4030e1 GetModuleHandleA GetCommandLineA 5289->5250 5291 403154 4 API calls 5290->5291 5292 404323 5290->5292 5291->5292 5292->5252 5398 405bf8 5293->5398 5302 406564 6F551CD0 5302->5256 5304 408f4f 5303->5304 5488 406ec4 SetErrorMode 5304->5488 5307 4071a8 5 API calls 5308 408f7f 5307->5308 5309 403198 4 API calls 5308->5309 5310 408f94 5309->5310 5311 409944 GetSystemInfo VirtualQuery 5310->5311 5312 4099f8 5311->5312 5315 40996e 5311->5315 5317 4094b4 5312->5317 5313 4099d9 VirtualQuery 5313->5312 5313->5315 5314 409998 VirtualProtect 5314->5315 5315->5312 5315->5313 5315->5314 5316 4099c7 VirtualProtect 5315->5316 5316->5313 5494 406b0c GetCommandLineA 5317->5494 5319 409571 5321 4031b8 4 API calls 5319->5321 5320 406b68 6 API calls 5323 4094d1 5320->5323 5322 40958b 5321->5322 5325 406b68 5322->5325 5323->5319 5323->5320 5324 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5323->5324 5324->5323 5326 406bb3 GetCommandLineA 5325->5326 5327 406b8f GetModuleFileNameA 5325->5327 5335 406bb8 5326->5335 5328 403278 4 API calls 5327->5328 5329 406bb1 5328->5329 5331 406be0 5329->5331 5330 406bbd 5332 403198 4 API calls 5330->5332 5336 403198 4 API calls 5331->5336 5334 406bc5 5332->5334 5333 406a2c 4 API calls 5333->5335 5338 40322c 4 API calls 5334->5338 5335->5330 5335->5333 5335->5334 5337 406bf5 5336->5337 5337->5265 5338->5331 5340 407402 5339->5340 5515 407490 5340->5515 5518 40748e 5340->5518 5341 40742e 5342 407442 5341->5342 5343 4073a4 21 API calls 5341->5343 5346 409a00 FindResourceA 5342->5346 5343->5342 5347 409a15 5346->5347 5348 409a1a SizeofResource 5346->5348 5349 4098b4 4 API calls 5347->5349 5350 409a27 5348->5350 5351 409a2c LoadResource 5348->5351 5349->5348 5352 4098b4 4 API calls 5350->5352 5353 409a3a 5351->5353 5354 409a3f LockResource 5351->5354 5352->5351 5355 4098b4 4 API calls 5353->5355 5356 409a50 5354->5356 5357 409a4b 5354->5357 5355->5354 5356->5274 5384 407830 5356->5384 5358 4098b4 4 API calls 5357->5358 5358->5356 5360 4073cc 5359->5360 5361 4073dc 5360->5361 5362 407304 20 API calls 5360->5362 5361->5277 5362->5361 5364 407911 5363->5364 5365 4057e0 4 API calls 5364->5365 5366 407965 5364->5366 5365->5366 5367 407830 InterlockedExchange 5366->5367 5368 407977 5367->5368 5369 4057e0 4 API calls 5368->5369 5370 40798d 5368->5370 5369->5370 5371 4079d0 5370->5371 5372 4057e0 4 API calls 5370->5372 5371->5280 5372->5371 5374 408a58 5373->5374 5382 408a12 5373->5382 5521 407b94 5374->5521 5376 408a6c 5378 403198 4 API calls 5376->5378 5377 403278 4 API calls 5377->5382 5379 408a81 5378->5379 5394 404b70 5379->5394 5380 403420 4 API calls 5380->5382 5381 4031e8 4 API calls 5381->5382 5382->5374 5382->5377 5382->5380 5382->5381 5383 407b94 23 API calls 5382->5383 5383->5382 5570 4077dc 5384->5570 5388 4098d5 5387->5388 5389 4098bd 5387->5389 5390 4057e0 4 API calls 5388->5390 5391 4057e0 4 API calls 5389->5391 5392 4098e6 5390->5392 5393 4098cf 5391->5393 5392->5273 5393->5273 5395 402594 4 API calls 5394->5395 5396 404b7b 5395->5396 5396->5284 5397->5289 5399 405890 5 API calls 5398->5399 5400 405c09 5399->5400 5401 4051d0 GetSystemDefaultLCID 5400->5401 5403 405206 5401->5403 5402 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5402->5403 5403->5402 5404 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5403->5404 5405 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5403->5405 5408 405268 5403->5408 5404->5403 5405->5403 5406 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5406->5408 5407 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5407->5408 5408->5406 5408->5407 5409 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5408->5409 5410 4052eb 5408->5410 5409->5408 5411 4031b8 4 API calls 5410->5411 5412 405305 5411->5412 5413 405314 GetSystemDefaultLCID 5412->5413 5470 40515c GetLocaleInfoA 5413->5470 5416 4031e8 4 API calls 5417 405354 5416->5417 5418 40515c 5 API calls 5417->5418 5419 405369 5418->5419 5420 40515c 5 API calls 5419->5420 5421 40538d 5420->5421 5476 4051a8 GetLocaleInfoA 5421->5476 5424 4051a8 GetLocaleInfoA 5425 4053bd 5424->5425 5426 40515c 5 API calls 5425->5426 5427 4053d7 5426->5427 5428 4051a8 GetLocaleInfoA 5427->5428 5429 4053f4 5428->5429 5430 40515c 5 API calls 5429->5430 5431 40540e 5430->5431 5432 4031e8 4 API calls 5431->5432 5433 40541b 5432->5433 5434 40515c 5 API calls 5433->5434 5435 405430 5434->5435 5436 4031e8 4 API calls 5435->5436 5437 40543d 5436->5437 5438 4051a8 GetLocaleInfoA 5437->5438 5439 40544b 5438->5439 5440 40515c 5 API calls 5439->5440 5441 405465 5440->5441 5442 4031e8 4 API calls 5441->5442 5443 405472 5442->5443 5444 40515c 5 API calls 5443->5444 5445 405487 5444->5445 5446 4031e8 4 API calls 5445->5446 5447 405494 5446->5447 5448 40515c 5 API calls 5447->5448 5449 4054a9 5448->5449 5450 4054c6 5449->5450 5451 4054b7 5449->5451 5453 40322c 4 API calls 5450->5453 5484 40322c 5451->5484 5454 4054c4 5453->5454 5455 40515c 5 API calls 5454->5455 5456 4054e8 5455->5456 5457 405505 5456->5457 5458 4054f6 5456->5458 5460 403198 4 API calls 5457->5460 5459 40322c 4 API calls 5458->5459 5461 405503 5459->5461 5460->5461 5478 4033b4 5461->5478 5463 405527 5464 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5463->5464 5465 405541 5464->5465 5466 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5465->5466 5467 40555b 5466->5467 5468 405c44 GetVersionExA 5467->5468 5469 405c5b 5468->5469 5469->5302 5471 405183 5470->5471 5472 405195 5470->5472 5473 403278 4 API calls 5471->5473 5474 40322c 4 API calls 5472->5474 5475 405193 5473->5475 5474->5475 5475->5416 5477 4051c4 5476->5477 5477->5424 5479 4033bc 5478->5479 5480 403254 4 API calls 5479->5480 5481 4033cf 5480->5481 5482 4031e8 4 API calls 5481->5482 5483 4033f7 5482->5483 5485 403230 5484->5485 5486 403252 5485->5486 5487 4025ac 4 API calls 5485->5487 5486->5454 5487->5486 5492 403414 5488->5492 5491 406f12 5491->5307 5493 403418 LoadLibraryA 5492->5493 5493->5491 5501 406a2c 5494->5501 5496 406b2f 5497 406b41 5496->5497 5498 406a2c 4 API calls 5496->5498 5499 403198 4 API calls 5497->5499 5498->5496 5500 406b56 5499->5500 5500->5323 5502 406a58 5501->5502 5503 403278 4 API calls 5502->5503 5504 406a65 5503->5504 5511 403420 5504->5511 5506 406a6d 5507 4031e8 4 API calls 5506->5507 5508 406a85 5507->5508 5509 403198 4 API calls 5508->5509 5510 406aa4 5509->5510 5510->5496 5512 403426 5511->5512 5514 403437 5511->5514 5513 403254 4 API calls 5512->5513 5512->5514 5513->5514 5514->5506 5516 403414 5515->5516 5517 4074cf CreateFileA 5516->5517 5517->5341 5519 407490 5518->5519 5520 4074cf CreateFileA 5519->5520 5520->5341 5522 407ba4 5521->5522 5523 407baf 5521->5523 5529 407db4 5522->5529 5540 407b38 5523->5540 5526 4057e0 4 API calls 5527 407bad 5526->5527 5527->5376 5530 407dc9 5529->5530 5532 407dd8 5530->5532 5547 407ccc 5530->5547 5533 407e12 5532->5533 5534 407ccc 19 API calls 5532->5534 5535 407e26 5533->5535 5536 407ccc 19 API calls 5533->5536 5534->5533 5539 407e52 5535->5539 5544 407d5c 5535->5544 5536->5535 5539->5527 5541 407b8b 5540->5541 5542 407b4c 5540->5542 5541->5526 5541->5527 5542->5541 5558 407a88 5542->5558 5545 407d6b VirtualFree 5544->5545 5546 407d7d VirtualAlloc 5544->5546 5545->5546 5546->5539 5550 405814 5547->5550 5549 407cee 5549->5532 5551 405820 5550->5551 5552 4050e4 19 API calls 5551->5552 5553 40584d 5552->5553 5554 4031e8 4 API calls 5553->5554 5555 405858 5554->5555 5556 403198 4 API calls 5555->5556 5557 40586d 5556->5557 5557->5549 5559 407a93 5558->5559 5560 407aa4 5558->5560 5561 4057e0 4 API calls 5559->5561 5562 4073b8 20 API calls 5560->5562 5561->5560 5563 407ab8 5562->5563 5564 4073b8 20 API calls 5563->5564 5565 407ad9 5564->5565 5566 407830 InterlockedExchange 5565->5566 5567 407aee 5566->5567 5568 4057e0 4 API calls 5567->5568 5569 407b04 5567->5569 5568->5569 5569->5542 5571 4077ee 5570->5571 5572 4077ff 5570->5572 5573 4077f3 InterlockedExchange 5571->5573 5572->5274 5573->5572 6158 402654 6159 403154 4 API calls 6158->6159 6160 402614 6159->6160 6161 402632 6160->6161 6162 403154 4 API calls 6160->6162 6161->6161 6162->6161 4862 407460 4863 40746c CloseHandle 4862->4863 4864 407475 4862->4864 4863->4864 6163 402e64 6164 402e69 6163->6164 6165 402e7a RtlUnwind 6164->6165 6166 402e5e 6164->6166 6167 402e9d 6165->6167 5589 409c68 5590 4098b4 4 API calls 5589->5590 5591 409c6d 5590->5591 5592 409c72 5591->5592 5708 402f24 5591->5708 5626 40961c 5592->5626 5595 409cca 5647 4026c4 GetSystemTime 5595->5647 5597 409c77 5597->5595 5713 408c34 5597->5713 5598 409ccf 5648 409188 5598->5648 5602 4031e8 4 API calls 5604 409ce4 5602->5604 5603 409ca6 5606 409cae MessageBoxA 5603->5606 5666 40686c 5604->5666 5606->5595 5608 409cbb 5606->5608 5716 4057b4 5608->5716 5613 409d12 5693 403340 5613->5693 5615 409d20 5616 4031e8 4 API calls 5615->5616 5617 409d30 5616->5617 5618 4073f8 23 API calls 5617->5618 5619 409d6f 5618->5619 5620 402594 4 API calls 5619->5620 5621 409d8f 5620->5621 5622 407904 5 API calls 5621->5622 5623 409dd1 5622->5623 5624 407b94 23 API calls 5623->5624 5625 409df8 5624->5625 5627 409663 5626->5627 5633 409629 5626->5633 5628 409670 5627->5628 5629 40966c 5627->5629 5726 406f48 GetModuleHandleA GetProcAddress 5628->5726 5630 409679 GetUserDefaultLangID 5629->5630 5639 40966e 5629->5639 5630->5639 5633->5627 5636 409653 5633->5636 5634 40971d 5635 4095d0 5 API calls 5634->5635 5637 40965a 5635->5637 5720 4095d0 5636->5720 5637->5597 5639->5634 5640 4096ce 5639->5640 5641 4096c1 5639->5641 5642 4096b7 GetACP 5639->5642 5640->5634 5644 409710 5640->5644 5645 409706 GetACP 5640->5645 5643 4095d0 5 API calls 5641->5643 5642->5639 5642->5641 5643->5637 5646 4095d0 5 API calls 5644->5646 5645->5640 5645->5644 5646->5637 5647->5598 5651 4091a8 5648->5651 5652 4091cd CreateDirectoryA 5651->5652 5657 408c34 4 API calls 5651->5657 5662 4071a8 5 API calls 5651->5662 5665 4057e0 4 API calls 5651->5665 5813 406c30 5651->5813 5836 40907c 5651->5836 5855 404be4 5651->5855 5858 408c04 5651->5858 5653 409245 5652->5653 5654 4091d7 GetLastError 5652->5654 5655 40322c 4 API calls 5653->5655 5654->5651 5656 40924f 5655->5656 5658 4031b8 4 API calls 5656->5658 5657->5651 5660 409269 5658->5660 5661 4031b8 4 API calls 5660->5661 5663 409276 5661->5663 5662->5651 5663->5602 5665->5651 5967 406764 5666->5967 5669 403454 4 API calls 5670 40688e 5669->5670 5671 406608 5670->5671 5972 406828 5671->5972 5674 406646 5677 403454 4 API calls 5674->5677 5675 406638 5676 403340 4 API calls 5675->5676 5679 406644 5676->5679 5678 406659 5677->5678 5680 403340 4 API calls 5678->5680 5681 403198 4 API calls 5679->5681 5680->5679 5682 40667b 5681->5682 5683 406594 5682->5683 5684 4065c0 5683->5684 5685 40659e 5683->5685 5686 40322c 4 API calls 5684->5686 5978 406894 5685->5978 5688 4065c9 5686->5688 5688->5613 5689 4065a5 5689->5684 5690 4065af 5689->5690 5691 403340 4 API calls 5690->5691 5692 4065bd 5691->5692 5692->5613 5694 403344 5693->5694 5695 4033a5 5693->5695 5696 4031e8 5694->5696 5699 40334c 5694->5699 5697 4031fc 5696->5697 5700 403254 4 API calls 5696->5700 5698 403228 5697->5698 5704 4025ac 4 API calls 5697->5704 5698->5615 5699->5695 5701 4031e8 4 API calls 5699->5701 5703 40335b 5699->5703 5700->5697 5701->5703 5702 403254 4 API calls 5705 403375 5702->5705 5703->5702 5704->5698 5706 4031e8 4 API calls 5705->5706 5707 4033a1 5706->5707 5707->5615 5709 403154 4 API calls 5708->5709 5710 402f29 5709->5710 5982 402bcc 5710->5982 5712 402f51 5712->5712 5714 408c04 4 API calls 5713->5714 5715 408c50 5714->5715 5715->5603 5717 4057b9 5716->5717 5718 405890 5 API calls 5717->5718 5719 4057cb 5718->5719 5719->5719 5721 4095d8 5720->5721 5725 409610 5720->5725 5722 403420 4 API calls 5721->5722 5721->5725 5723 40960a 5722->5723 5747 408cdc 5723->5747 5725->5637 5727 406f82 5726->5727 5728 406f8b 5726->5728 5738 403198 4 API calls 5727->5738 5729 406f94 5728->5729 5730 406fcc 5728->5730 5763 406e8c 5729->5763 5732 406e8c RegOpenKeyExA 5730->5732 5734 406fe5 5732->5734 5733 406fad 5735 407002 5733->5735 5766 406e80 5733->5766 5734->5735 5739 406e80 6 API calls 5734->5739 5736 40322c 4 API calls 5735->5736 5741 40700f 5736->5741 5743 407044 5738->5743 5740 406ff9 RegCloseKey 5739->5740 5740->5735 5769 4032fc 5741->5769 5744 403198 4 API calls 5743->5744 5746 40704c 5744->5746 5746->5639 5748 408cea 5747->5748 5750 408d02 5748->5750 5760 408c74 5748->5760 5751 408c74 4 API calls 5750->5751 5752 408d26 5750->5752 5751->5752 5753 407830 InterlockedExchange 5752->5753 5754 408d3f 5753->5754 5755 408c74 4 API calls 5754->5755 5757 408d52 5754->5757 5755->5757 5756 408c74 4 API calls 5756->5757 5757->5756 5758 403278 4 API calls 5757->5758 5759 408d81 5757->5759 5758->5757 5759->5725 5761 4057e0 4 API calls 5760->5761 5762 408c85 5761->5762 5762->5750 5764 406e97 5763->5764 5765 406e9d RegOpenKeyExA 5763->5765 5764->5765 5765->5733 5783 406d4c 5766->5783 5770 403300 5769->5770 5771 40333f 5769->5771 5772 4031e8 5770->5772 5773 40330a 5770->5773 5771->5727 5776 4031fc 5772->5776 5780 403254 4 API calls 5772->5780 5774 403334 5773->5774 5775 40331d 5773->5775 5779 4034f0 4 API calls 5774->5779 5777 4034f0 4 API calls 5775->5777 5778 403228 5776->5778 5782 4025ac 4 API calls 5776->5782 5781 403322 5777->5781 5778->5727 5779->5781 5780->5776 5781->5727 5782->5778 5784 406d71 RegQueryValueExA 5783->5784 5790 406d91 5784->5790 5798 406db3 5784->5798 5785 403198 4 API calls 5787 406e6c RegCloseKey 5785->5787 5786 406dab 5788 403198 4 API calls 5786->5788 5787->5735 5788->5798 5789 403278 4 API calls 5789->5790 5790->5786 5790->5789 5791 403420 4 API calls 5790->5791 5790->5798 5792 406dd3 RegQueryValueExA 5791->5792 5792->5784 5793 406de8 5792->5793 5793->5798 5800 4034f0 5793->5800 5796 406e42 5797 4031e8 4 API calls 5796->5797 5797->5798 5798->5785 5799 403420 4 API calls 5799->5796 5801 4034fd 5800->5801 5808 40352d 5800->5808 5802 403526 5801->5802 5804 403509 5801->5804 5805 403254 4 API calls 5802->5805 5803 403198 4 API calls 5806 403517 5803->5806 5809 4025c4 5804->5809 5805->5808 5806->5796 5806->5799 5808->5803 5810 4025ca 5809->5810 5811 4025dc 5810->5811 5812 403154 4 API calls 5810->5812 5811->5806 5811->5811 5812->5811 5862 406994 5813->5862 5816 406c62 5818 406994 5 API calls 5816->5818 5820 406cae 5816->5820 5819 406c72 5818->5819 5821 406c7e 5819->5821 5823 406970 7 API calls 5819->5823 5870 4067cc 5820->5870 5821->5820 5826 406994 5 API calls 5821->5826 5832 406ca3 5821->5832 5823->5821 5828 406c97 5826->5828 5827 406594 5 API calls 5829 406cc3 5827->5829 5831 406970 7 API calls 5828->5831 5828->5832 5830 40322c 4 API calls 5829->5830 5833 406ccd 5830->5833 5831->5832 5832->5820 5882 406c04 GetWindowsDirectoryA 5832->5882 5834 4031b8 4 API calls 5833->5834 5835 406ce7 5834->5835 5835->5651 5837 40909c 5836->5837 5838 406594 5 API calls 5837->5838 5839 4090b5 5838->5839 5840 40322c 4 API calls 5839->5840 5841 4090c0 5840->5841 5843 4068b4 6 API calls 5841->5843 5844 4033b4 4 API calls 5841->5844 5845 408c34 4 API calls 5841->5845 5847 4057e0 4 API calls 5841->5847 5848 40913c 5841->5848 5921 409008 5841->5921 5929 408e8c 5841->5929 5843->5841 5844->5841 5845->5841 5847->5841 5849 40322c 4 API calls 5848->5849 5850 409147 5849->5850 5851 4031b8 4 API calls 5850->5851 5852 409161 5851->5852 5853 403198 4 API calls 5852->5853 5854 409169 5853->5854 5854->5651 5856 4050f8 19 API calls 5855->5856 5857 404c02 5856->5857 5857->5651 5859 408c24 5858->5859 5957 408b04 5859->5957 5863 4034f0 4 API calls 5862->5863 5865 4069a7 5863->5865 5864 4069be GetEnvironmentVariableA 5864->5865 5866 4069ca 5864->5866 5865->5864 5869 4069d1 5865->5869 5884 406d28 5865->5884 5867 403198 4 API calls 5866->5867 5867->5869 5869->5816 5879 406970 5869->5879 5871 403414 5870->5871 5872 4067ef GetFullPathNameA 5871->5872 5873 406812 5872->5873 5874 4067fb 5872->5874 5876 40322c 4 API calls 5873->5876 5874->5873 5875 406803 5874->5875 5877 403278 4 API calls 5875->5877 5878 406810 5876->5878 5877->5878 5878->5827 5888 406918 5879->5888 5883 406c25 5882->5883 5883->5820 5885 406d36 5884->5885 5886 4034f0 4 API calls 5885->5886 5887 406d44 5886->5887 5887->5865 5895 4068b4 5888->5895 5890 40693a 5891 406942 GetFileAttributesA 5890->5891 5892 406957 5891->5892 5893 403198 4 API calls 5892->5893 5894 40695f 5893->5894 5894->5816 5905 40668c 5895->5905 5897 4068c5 5898 4068d7 CharPrevA 5897->5898 5899 4068eb 5897->5899 5898->5897 5900 406901 5899->5900 5901 4068f6 5899->5901 5912 403454 5900->5912 5902 40322c 4 API calls 5901->5902 5904 4068ff 5902->5904 5904->5890 5907 40669d 5905->5907 5906 4066fd 5908 4065d8 IsDBCSLeadByte 5906->5908 5911 4066f8 5906->5911 5907->5906 5909 4066b9 5907->5909 5908->5911 5909->5911 5919 4065d8 IsDBCSLeadByte 5909->5919 5911->5897 5913 403486 5912->5913 5914 403459 5912->5914 5915 403198 4 API calls 5913->5915 5914->5913 5916 40346d 5914->5916 5918 40347c 5915->5918 5917 403278 4 API calls 5916->5917 5917->5918 5918->5904 5920 4065ec 5919->5920 5920->5909 5922 403198 4 API calls 5921->5922 5924 409029 5922->5924 5926 409056 5924->5926 5938 4032a8 5924->5938 5941 403494 5924->5941 5927 403198 4 API calls 5926->5927 5928 40906b 5927->5928 5928->5841 5945 408dc8 5929->5945 5931 408ea2 5932 408ea6 5931->5932 5951 406984 5931->5951 5932->5841 5935 408ed9 5954 408e04 5935->5954 5939 403278 4 API calls 5938->5939 5940 4032b5 5939->5940 5940->5924 5942 4034c3 5941->5942 5943 403498 5941->5943 5942->5924 5944 4034f0 4 API calls 5943->5944 5944->5942 5946 408dd2 5945->5946 5947 408dd6 5945->5947 5946->5931 5948 408df8 SetLastError 5947->5948 5949 408ddf Wow64DisableWow64FsRedirection 5947->5949 5950 408df3 5948->5950 5949->5950 5950->5931 5952 406918 7 API calls 5951->5952 5953 40698e GetLastError 5952->5953 5953->5935 5955 408e13 5954->5955 5956 408e09 Wow64RevertWow64FsRedirection 5954->5956 5955->5841 5956->5955 5958 403198 4 API calls 5957->5958 5965 408b35 5957->5965 5958->5965 5959 4031b8 4 API calls 5960 408be5 5959->5960 5960->5651 5961 408b4c 5964 4032fc 4 API calls 5961->5964 5962 403278 4 API calls 5962->5965 5963 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5963->5965 5966 408b60 5964->5966 5965->5961 5965->5962 5965->5963 5965->5966 5966->5959 5968 40668c IsDBCSLeadByte 5967->5968 5970 406779 5968->5970 5969 4067c2 5969->5669 5970->5969 5971 4065d8 IsDBCSLeadByte 5970->5971 5971->5970 5973 406837 5972->5973 5974 406764 IsDBCSLeadByte 5973->5974 5977 406842 5974->5977 5975 406632 5975->5674 5975->5675 5976 4065d8 IsDBCSLeadByte 5976->5977 5977->5975 5977->5976 5979 40689b 5978->5979 5980 40689f 5978->5980 5979->5689 5981 4068a6 CharPrevA 5980->5981 5981->5689 5983 402bd5 RaiseException 5982->5983 5984 402be6 5982->5984 5983->5984 5984->5712 6180 408e76 6181 408e68 6180->6181 6182 408e04 Wow64RevertWow64FsRedirection 6181->6182 6183 408e70 6182->6183 6184 407e78 6185 407ea0 6184->6185 6187 407ea7 6184->6187 6186 407db4 21 API calls 6185->6186 6186->6187 6188 407eda 6187->6188 6190 407ed0 6187->6190 6191 407ece 6187->6191 6189 407f0f 6188->6189 6192 407ccc 19 API calls 6188->6192 6194 403198 4 API calls 6189->6194 6193 407ccc 19 API calls 6190->6193 6195 4050e4 19 API calls 6191->6195 6192->6189 6193->6188 6196 407f24 6194->6196 6197 407ef6 6195->6197 6199 407c54 6197->6199 6200 407c57 6199->6200 6201 40322c 4 API calls 6200->6201 6202 407c79 6201->6202 6203 4032fc 4 API calls 6202->6203 6204 407c83 6203->6204 6205 4057e0 4 API calls 6204->6205 6206 407c92 6205->6206 6207 403198 4 API calls 6206->6207 6208 407cac 6207->6208 6208->6188 6209 408e78 SetLastError 6210 408e81 6209->6210 6645 403f7d 6646 403fa2 6645->6646 6647 403f84 6645->6647 6646->6647 6649 403e8e 4 API calls 6646->6649 6648 403f8c 6647->6648 6650 402674 4 API calls 6647->6650 6649->6647 6651 403fca 6650->6651 6660 403d02 6667 403d12 6660->6667 6661 403ddf ExitProcess 6662 403db8 6664 403cc8 4 API calls 6662->6664 6663 403dea 6665 403dc2 6664->6665 6666 403cc8 4 API calls 6665->6666 6668 403dcc 6666->6668 6667->6661 6667->6662 6667->6663 6667->6667 6670 403da4 6667->6670 6671 403d8f MessageBoxA 6667->6671 6680 4019dc 6668->6680 6676 403fe4 6670->6676 6671->6662 6672 403dd1 6672->6661 6672->6663 6677 403fe8 6676->6677 6678 403f07 4 API calls 6677->6678 6679 404006 6678->6679 6681 401abb 6680->6681 6682 4019ed 6680->6682 6681->6672 6683 401a04 RtlEnterCriticalSection 6682->6683 6684 401a0e LocalFree 6682->6684 6683->6684 6685 401a41 6684->6685 6686 401a2f VirtualFree 6685->6686 6687 401a49 6685->6687 6686->6685 6688 401a70 LocalFree 6687->6688 6689 401a87 6687->6689 6688->6688 6688->6689 6690 401aa9 RtlDeleteCriticalSection 6689->6690 6691 401a9f RtlLeaveCriticalSection 6689->6691 6690->6672 6691->6690 6221 404206 6222 4041cc 6221->6222 6225 40420a 6221->6225 6223 404282 6224 403154 4 API calls 6226 404323 6224->6226 6225->6223 6225->6224 6227 402c08 6228 402c82 6227->6228 6231 402c19 6227->6231 6229 402c56 RtlUnwind 6230 403154 4 API calls 6229->6230 6230->6228 6231->6228 6231->6229 6234 402b28 6231->6234 6235 402b31 RaiseException 6234->6235 6236 402b47 6234->6236 6235->6236 6236->6229 6702 407512 GetFileSize 6703 40753e 6702->6703 6704 40752e GetLastError 6702->6704 6704->6703 6705 407537 6704->6705 6706 4073a4 21 API calls 6705->6706 6706->6703 6237 409e17 6238 409e3c 6237->6238 6239 407830 InterlockedExchange 6238->6239 6240 409e66 6239->6240 6241 409e76 6240->6241 6242 4098b4 4 API calls 6240->6242 6247 4075c4 SetEndOfFile 6241->6247 6242->6241 6244 409e92 6245 4025ac 4 API calls 6244->6245 6246 409ec9 6245->6246 6248 4075d4 6247->6248 6249 4075db 6247->6249 6250 4073a4 21 API calls 6248->6250 6249->6244 6250->6249 6251 403018 6252 403070 6251->6252 6253 403025 6251->6253 6254 40302a RtlUnwind 6253->6254 6256 40304e 6254->6256 6255 402f78 6256->6255 6258 402be8 6256->6258 6259 402bf1 RaiseException 6258->6259 6260 402c04 6258->6260 6259->6260 6260->6252 6707 406f1f 6708 406f2c SetErrorMode 6707->6708 6261 405a24 6262 405a34 6261->6262 6263 405a2c 6261->6263 6264 405a32 6263->6264 6265 405a3b 6263->6265 6268 40599c 6264->6268 6266 405890 5 API calls 6265->6266 6266->6262 6269 4059a4 6268->6269 6270 4059be 6269->6270 6271 403154 4 API calls 6269->6271 6272 4059c3 6270->6272 6273 4059da 6270->6273 6271->6269 6274 405890 5 API calls 6272->6274 6275 403154 4 API calls 6273->6275 6276 4059d6 6274->6276 6277 4059df 6275->6277 6279 403154 4 API calls 6276->6279 6278 405900 19 API calls 6277->6278 6278->6276 6280 405a08 6279->6280 6281 403154 4 API calls 6280->6281 6282 405a16 6281->6282 6282->6262 6283 403a28 ReadFile 6284 403a46 6283->6284 6285 403a49 GetLastError 6283->6285 6713 40972c 6714 409745 6713->6714 6715 40973b 6713->6715 6715->6714 6716 40976a CallWindowProcA 6715->6716 6716->6714 6286 409e32 6287 4098b4 4 API calls 6286->6287 6288 409e37 6287->6288 6289 409e3c 6288->6289 6290 402f24 5 API calls 6288->6290 6291 407830 InterlockedExchange 6289->6291 6290->6289 6292 409e66 6291->6292 6293 409e76 6292->6293 6294 4098b4 4 API calls 6292->6294 6295 4075c4 22 API calls 6293->6295 6294->6293 6296 409e92 6295->6296 6297 4025ac 4 API calls 6296->6297 6298 409ec9 6297->6298 6717 403932 6718 403924 6717->6718 6719 40374c VariantClear 6718->6719 6720 40392c 6719->6720 5985 406f3b 5986 406f2c SetErrorMode 5985->5986 5580 4075c4 SetEndOfFile 5581 4075d4 5580->5581 5582 4075db 5580->5582 5583 4073a4 21 API calls 5581->5583 5583->5582 6305 402ccc 6308 402cfe 6305->6308 6309 402cdd 6305->6309 6306 402d88 RtlUnwind 6307 403154 4 API calls 6306->6307 6307->6308 6309->6306 6309->6308 6310 402b28 RaiseException 6309->6310 6311 402d7f 6310->6311 6311->6306 6721 403fcd 6722 403f07 4 API calls 6721->6722 6723 403fd6 6722->6723 6724 403e9c 4 API calls 6723->6724 6725 403fe2 6724->6725 4865 4024d0 4866 4024e4 4865->4866 4867 4024f7 4865->4867 4904 401918 RtlInitializeCriticalSection 4866->4904 4869 402518 4867->4869 4870 40250e RtlEnterCriticalSection 4867->4870 4881 402300 4869->4881 4870->4869 4874 4024ed 4876 402525 4877 402581 4876->4877 4878 402577 RtlLeaveCriticalSection 4876->4878 4878->4877 4879 402531 4879->4876 4911 40215c 4879->4911 4882 402314 4881->4882 4883 402335 4882->4883 4888 4023b8 4882->4888 4884 402344 4883->4884 4925 401b74 4883->4925 4884->4876 4891 401fd4 4884->4891 4888->4884 4889 402455 4888->4889 4928 401d80 4888->4928 4936 401e84 4888->4936 4889->4884 4932 401d00 4889->4932 4892 401fe8 4891->4892 4893 401ffb 4891->4893 4894 401918 4 API calls 4892->4894 4895 402012 RtlEnterCriticalSection 4893->4895 4898 40201c 4893->4898 4896 401fed 4894->4896 4895->4898 4896->4893 4897 401ff1 4896->4897 4901 402052 4897->4901 4898->4901 5018 401ee0 4898->5018 4901->4879 4902 402147 4902->4879 4903 40213d RtlLeaveCriticalSection 4903->4902 4905 401946 4904->4905 4906 40193c RtlEnterCriticalSection 4904->4906 4907 401964 LocalAlloc 4905->4907 4906->4905 4908 40197e 4907->4908 4909 4019c3 RtlLeaveCriticalSection 4908->4909 4910 4019cd 4908->4910 4909->4910 4910->4867 4910->4874 4912 40217a 4911->4912 4913 402175 4911->4913 4915 4021ab RtlEnterCriticalSection 4912->4915 4918 40217e 4912->4918 4923 4021b5 4912->4923 4914 401918 4 API calls 4913->4914 4914->4912 4915->4923 4916 4021c1 4919 4022e3 RtlLeaveCriticalSection 4916->4919 4920 4022ed 4916->4920 4917 402244 4917->4918 4921 401d80 7 API calls 4917->4921 4918->4876 4919->4920 4920->4876 4921->4918 4922 402270 4922->4916 4924 401d00 7 API calls 4922->4924 4923->4916 4923->4917 4923->4922 4924->4916 4926 40215c 9 API calls 4925->4926 4927 401b95 4926->4927 4927->4884 4929 401d89 4928->4929 4931 401d92 4928->4931 4930 401b74 9 API calls 4929->4930 4929->4931 4930->4931 4931->4888 4933 401d4e 4932->4933 4934 401d1e 4932->4934 4933->4934 4941 401c68 4933->4941 4934->4884 4996 401768 4936->4996 4938 401e99 4939 401ea6 4938->4939 5007 401dcc 4938->5007 4939->4888 4942 401c7a 4941->4942 4943 401c9d 4942->4943 4944 401caf 4942->4944 4954 40188c 4943->4954 4946 40188c 3 API calls 4944->4946 4947 401cad 4946->4947 4948 401cc5 4947->4948 4964 401b44 4947->4964 4948->4934 4950 401cd4 4951 401cee 4950->4951 4969 401b98 4950->4969 4974 4013a0 4951->4974 4955 4018b2 4954->4955 4956 40190b 4954->4956 4978 401658 4955->4978 4956->4947 4961 4018e6 4961->4956 4963 4013a0 LocalAlloc 4961->4963 4963->4956 4965 401b61 4964->4965 4966 401b52 4964->4966 4965->4950 4967 401d00 9 API calls 4966->4967 4968 401b5f 4967->4968 4968->4950 4970 401bab 4969->4970 4971 401b9d 4969->4971 4970->4951 4972 401b74 9 API calls 4971->4972 4973 401baa 4972->4973 4973->4951 4975 4013ab 4974->4975 4976 4013c6 4975->4976 4977 4012e4 LocalAlloc 4975->4977 4976->4948 4977->4976 4980 40168f 4978->4980 4979 4016cf 4982 40132c 4979->4982 4980->4979 4981 4016a9 VirtualFree 4980->4981 4981->4980 4983 401348 4982->4983 4990 4012e4 4983->4990 4986 40150c 4988 40153b 4986->4988 4987 401594 4987->4961 4988->4987 4989 401568 VirtualFree 4988->4989 4989->4988 4993 40128c 4990->4993 4994 401298 LocalAlloc 4993->4994 4995 4012aa 4993->4995 4994->4995 4995->4961 4995->4986 4998 401787 4996->4998 4997 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 4997->4998 4998->4997 4999 40183b 4998->4999 5001 40132c LocalAlloc 4998->5001 5002 401821 4998->5002 5005 4017d6 4998->5005 5003 4017e7 4999->5003 5014 4015c4 4999->5014 5001->4998 5004 40150c VirtualFree 5002->5004 5003->4938 5004->5003 5006 40150c VirtualFree 5005->5006 5006->5003 5008 401d80 9 API calls 5007->5008 5009 401de0 5008->5009 5010 40132c LocalAlloc 5009->5010 5012 401df0 5010->5012 5011 401df8 5011->4939 5012->5011 5013 401b44 9 API calls 5012->5013 5013->5011 5015 40160a 5014->5015 5016 401626 VirtualAlloc 5015->5016 5017 40163a 5015->5017 5016->5015 5016->5017 5017->5003 5021 401ef0 5018->5021 5019 401f1c 5020 401d00 9 API calls 5019->5020 5023 401f40 5019->5023 5020->5023 5021->5019 5021->5023 5024 401e58 5021->5024 5023->4902 5023->4903 5029 4016d8 5024->5029 5027 401dcc 9 API calls 5028 401e75 5027->5028 5028->5021 5030 4016f4 5029->5030 5032 4016fe 5030->5032 5034 40175b 5030->5034 5035 40132c LocalAlloc 5030->5035 5037 40174f 5030->5037 5039 401430 5030->5039 5033 4015c4 VirtualAlloc 5032->5033 5036 40170a 5033->5036 5034->5027 5034->5028 5035->5030 5036->5034 5038 40150c VirtualFree 5037->5038 5038->5034 5040 40143f VirtualAlloc 5039->5040 5042 40146c 5040->5042 5043 40148f 5040->5043 5044 4012e4 LocalAlloc 5042->5044 5043->5030 5045 401478 5044->5045 5045->5043 5046 40147c VirtualFree 5045->5046 5046->5043 6312 40a0d0 6321 409448 6312->6321 6315 402f24 5 API calls 6316 40a0da 6315->6316 6317 403198 4 API calls 6316->6317 6318 40a0f9 6317->6318 6319 403198 4 API calls 6318->6319 6320 40a101 6319->6320 6330 4055fc 6321->6330 6323 409463 6324 409491 6323->6324 6336 407130 6323->6336 6327 403198 4 API calls 6324->6327 6326 409481 6329 409489 MessageBoxA 6326->6329 6328 4094a6 6327->6328 6328->6315 6329->6324 6331 403154 4 API calls 6330->6331 6332 405601 6331->6332 6333 405619 6332->6333 6334 403154 4 API calls 6332->6334 6333->6323 6335 40560f 6334->6335 6335->6323 6337 4055fc 4 API calls 6336->6337 6338 40713f 6337->6338 6339 407145 6338->6339 6341 407153 6338->6341 6340 40322c 4 API calls 6339->6340 6342 407151 6340->6342 6343 407163 6341->6343 6344 40716f 6341->6344 6342->6326 6347 4070f4 6343->6347 6354 4032b8 6344->6354 6348 40322c 4 API calls 6347->6348 6349 407103 6348->6349 6350 407120 6349->6350 6351 406894 CharPrevA 6349->6351 6350->6342 6352 40710f 6351->6352 6352->6350 6353 4032fc 4 API calls 6352->6353 6353->6350 6355 403278 4 API calls 6354->6355 6356 4032c2 6355->6356 6356->6342 6357 4028d2 6360 4028da 6357->6360 6358 403554 4 API calls 6358->6360 6359 4028ef 6361 4025ac 4 API calls 6359->6361 6360->6358 6360->6359 6362 4028f4 6361->6362 6726 4019d3 6727 4019ba 6726->6727 6728 4019c3 RtlLeaveCriticalSection 6727->6728 6729 4019cd 6727->6729 6728->6729 6730 4065d4 IsDBCSLeadByte 6731 4065ec 6730->6731 6367 409edb 6368 409f0b 6367->6368 6369 409f15 CreateWindowExA SetWindowLongA 6368->6369 6370 4050e4 19 API calls 6369->6370 6371 409f98 6370->6371 6372 4032fc 4 API calls 6371->6372 6373 409fa6 6372->6373 6374 4032fc 4 API calls 6373->6374 6375 409fb3 6374->6375 6376 406ab8 5 API calls 6375->6376 6377 409fbf 6376->6377 6378 4032fc 4 API calls 6377->6378 6379 409fc8 6378->6379 6380 4097b8 29 API calls 6379->6380 6381 409fda 6380->6381 6382 4095d0 5 API calls 6381->6382 6383 409fed 6381->6383 6382->6383 6384 40a026 6383->6384 6385 409330 9 API calls 6383->6385 6386 40a03f 6384->6386 6389 40a039 RemoveDirectoryA 6384->6389 6385->6384 6387 40a053 6386->6387 6388 40a048 73A25CF0 6386->6388 6390 40a07b 6387->6390 6391 40357c 4 API calls 6387->6391 6388->6387 6389->6386 6392 40a071 6391->6392 6393 4025ac 4 API calls 6392->6393 6393->6390 6735 407bdb 6736 407be1 6735->6736 6737 40322c 4 API calls 6736->6737 6738 407c79 6737->6738 6739 4032fc 4 API calls 6738->6739 6740 407c83 6739->6740 6741 4057e0 4 API calls 6740->6741 6742 407c92 6741->6742 6743 403198 4 API calls 6742->6743 6744 407cac 6743->6744 5987 4074dc SetFilePointer 5988 40750f 5987->5988 5989 4074ff GetLastError 5987->5989 5989->5988 5990 407508 5989->5990 5991 4073a4 21 API calls 5990->5991 5991->5988 5047 4075e0 WriteFile 5048 407600 5047->5048 5050 407607 5047->5050 5053 4073a4 GetLastError 5048->5053 5049 407618 5050->5049 5056 407304 5050->5056 5054 407304 20 API calls 5053->5054 5055 4073b5 5054->5055 5055->5050 5065 4071a8 FormatMessageA 5056->5065 5059 40734c 5072 4057e0 5059->5072 5062 40735b 5076 403198 5062->5076 5066 4071ce 5065->5066 5080 403278 5066->5080 5069 4050e4 5107 4050f8 5069->5107 5073 4057e7 5072->5073 5074 4031e8 4 API calls 5073->5074 5075 4057ff 5074->5075 5075->5062 5077 4031b7 5076->5077 5078 40319e 5076->5078 5077->5049 5078->5077 5079 4025ac 4 API calls 5078->5079 5079->5077 5085 403254 5080->5085 5082 403288 5083 403198 4 API calls 5082->5083 5084 4032a0 5083->5084 5084->5059 5084->5069 5086 403274 5085->5086 5087 403258 5085->5087 5086->5082 5090 402594 5087->5090 5089 403261 5089->5082 5091 402598 5090->5091 5092 4025a2 5090->5092 5091->5092 5094 403154 5091->5094 5092->5089 5092->5092 5095 403164 5094->5095 5096 40318c TlsGetValue 5094->5096 5095->5092 5097 403196 5096->5097 5098 40316f 5096->5098 5097->5092 5102 40310c 5098->5102 5100 403174 TlsGetValue 5101 403184 5100->5101 5101->5092 5103 403120 LocalAlloc 5102->5103 5104 403116 5102->5104 5105 40313e TlsSetValue 5103->5105 5106 403132 5103->5106 5104->5103 5105->5106 5106->5100 5108 405115 5107->5108 5115 404da8 5108->5115 5111 405141 5112 403278 4 API calls 5111->5112 5114 4050f3 5112->5114 5114->5059 5118 404dc3 5115->5118 5116 404dd5 5116->5111 5120 404b34 5116->5120 5118->5116 5123 404eca 5118->5123 5130 404d9c 5118->5130 5240 405890 5120->5240 5122 404b45 5122->5111 5124 404edb 5123->5124 5125 404f29 5123->5125 5124->5125 5127 404faf 5124->5127 5128 404f47 5125->5128 5133 404d44 5125->5133 5127->5128 5137 404d88 5127->5137 5128->5118 5131 403198 4 API calls 5130->5131 5132 404da6 5131->5132 5132->5118 5134 404d52 5133->5134 5140 404b4c 5134->5140 5136 404d80 5136->5125 5170 4039a4 5137->5170 5143 405900 5140->5143 5142 404b65 5142->5136 5144 40590e 5143->5144 5153 404c2c LoadStringA 5144->5153 5147 4050e4 19 API calls 5148 405946 5147->5148 5156 4031e8 5148->5156 5154 403278 4 API calls 5153->5154 5155 404c59 5154->5155 5155->5147 5157 4031ec 5156->5157 5160 4031fc 5156->5160 5159 403254 4 API calls 5157->5159 5157->5160 5158 403228 5162 4031b8 5158->5162 5159->5160 5160->5158 5166 4025ac 5160->5166 5163 4031be 5162->5163 5164 4031e3 5163->5164 5165 4025ac 4 API calls 5163->5165 5164->5142 5165->5163 5167 4025b0 5166->5167 5169 4025ba 5166->5169 5168 403154 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5167->5168 5167->5169 5168->5169 5169->5158 5171 4039ab 5170->5171 5176 4038b4 5171->5176 5173 4039cb 5174 403198 4 API calls 5173->5174 5175 4039d2 5174->5175 5175->5128 5177 4038d5 5176->5177 5178 4038c8 5176->5178 5180 403934 5177->5180 5181 4038db 5177->5181 5204 403780 5178->5204 5182 403993 5180->5182 5183 40393b 5180->5183 5184 4038e1 5181->5184 5185 4038ee 5181->5185 5187 4037f4 3 API calls 5182->5187 5188 403941 5183->5188 5189 40394b 5183->5189 5211 403894 5184->5211 5186 403894 6 API calls 5185->5186 5192 4038fc 5186->5192 5190 4038d0 5187->5190 5226 403864 5188->5226 5194 4037f4 3 API calls 5189->5194 5190->5173 5216 4037f4 5192->5216 5195 40395d 5194->5195 5197 403864 9 API calls 5195->5197 5199 403976 5197->5199 5198 403917 5222 40374c 5198->5222 5201 40374c VariantClear 5199->5201 5203 40398b 5201->5203 5202 40392c 5202->5173 5203->5173 5205 4037f0 5204->5205 5206 403744 5204->5206 5205->5190 5206->5204 5207 403793 VariantClear 5206->5207 5208 4037dc VariantCopyInd 5206->5208 5209 403198 4 API calls 5206->5209 5210 4037ab 5206->5210 5207->5206 5208->5205 5208->5206 5209->5206 5210->5190 5231 4036b8 5211->5231 5214 40374c VariantClear 5215 4038a9 5214->5215 5215->5190 5217 403845 VariantChangeTypeEx 5216->5217 5218 40380a VariantChangeTypeEx 5216->5218 5220 403832 5217->5220 5219 403826 5218->5219 5221 40374c VariantClear 5219->5221 5220->5198 5221->5220 5223 403766 5222->5223 5224 403759 5222->5224 5223->5202 5224->5223 5225 403779 VariantClear 5224->5225 5225->5202 5237 40369c SysStringLen 5226->5237 5229 40374c VariantClear 5230 403882 5229->5230 5230->5190 5232 4036cb 5231->5232 5233 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5232->5233 5234 4036db 5232->5234 5235 40372e 5233->5235 5236 4036ed MultiByteToWideChar SysAllocStringLen 5234->5236 5235->5214 5236->5235 5238 403610 7 API calls 5237->5238 5239 4036b3 5238->5239 5239->5229 5241 40589c 5240->5241 5242 404c2c 5 API calls 5241->5242 5243 4058c2 5242->5243 5244 4031e8 4 API calls 5243->5244 5245 4058cd 5244->5245 5246 403198 4 API calls 5245->5246 5247 4058e2 5246->5247 5247->5122 6749 402be9 RaiseException 6750 402c04 6749->6750 5992 409eed 5993 409ef1 5992->5993 6024 409394 GetLastError 5993->6024 5996 409f0b 5998 409f15 CreateWindowExA SetWindowLongA 5996->5998 5997 402f24 5 API calls 5997->5996 5999 4050e4 19 API calls 5998->5999 6000 409f98 5999->6000 6001 4032fc 4 API calls 6000->6001 6002 409fa6 6001->6002 6003 4032fc 4 API calls 6002->6003 6004 409fb3 6003->6004 6037 406ab8 GetCommandLineA 6004->6037 6007 4032fc 4 API calls 6008 409fc8 6007->6008 6042 4097b8 6008->6042 6011 4095d0 5 API calls 6012 409fed 6011->6012 6013 40a026 6012->6013 6014 40a00d 6012->6014 6016 40a03f 6013->6016 6019 40a039 RemoveDirectoryA 6013->6019 6058 409330 6014->6058 6017 40a053 6016->6017 6018 40a048 73A25CF0 6016->6018 6020 40a07b 6017->6020 6066 40357c 6017->6066 6018->6017 6019->6016 6022 40a071 6023 4025ac 4 API calls 6022->6023 6023->6020 6025 404be4 19 API calls 6024->6025 6026 4093db 6025->6026 6027 4071a8 5 API calls 6026->6027 6028 4093eb 6027->6028 6029 408c04 4 API calls 6028->6029 6030 409400 6029->6030 6031 4057e0 4 API calls 6030->6031 6032 40940f 6031->6032 6033 4031b8 4 API calls 6032->6033 6034 40942e 6033->6034 6035 403198 4 API calls 6034->6035 6036 409436 6035->6036 6036->5996 6036->5997 6038 406a2c 4 API calls 6037->6038 6039 406add 6038->6039 6040 403198 4 API calls 6039->6040 6041 406afb 6040->6041 6041->6007 6043 4033b4 4 API calls 6042->6043 6044 4097f3 6043->6044 6045 409825 CreateProcessA 6044->6045 6046 409831 6045->6046 6047 409838 CloseHandle 6045->6047 6048 409394 21 API calls 6046->6048 6049 409841 6047->6049 6048->6047 6079 40978c 6049->6079 6052 40985d 6053 40978c 3 API calls 6052->6053 6054 409862 GetExitCodeProcess CloseHandle 6053->6054 6055 409882 6054->6055 6056 403198 4 API calls 6055->6056 6057 40988a 6056->6057 6057->6011 6057->6012 6059 40938a 6058->6059 6063 409343 6058->6063 6059->6013 6060 40934b Sleep 6060->6063 6061 40935b Sleep 6061->6063 6063->6059 6063->6060 6063->6061 6064 409372 GetLastError 6063->6064 6083 408e14 6063->6083 6064->6059 6065 40937c GetLastError 6064->6065 6065->6059 6065->6063 6067 403591 6066->6067 6068 4035a0 6066->6068 6071 4035b6 6067->6071 6074 4035d0 6067->6074 6075 40359b 6067->6075 6069 4035b1 6068->6069 6070 4035b8 6068->6070 6072 403198 4 API calls 6069->6072 6073 4031b8 4 API calls 6070->6073 6071->6022 6072->6071 6073->6071 6074->6071 6077 40357c 4 API calls 6074->6077 6075->6068 6076 4035ec 6075->6076 6076->6071 6091 403554 6076->6091 6077->6074 6080 4097a0 PeekMessageA 6079->6080 6081 4097b2 MsgWaitForMultipleObjects 6080->6081 6082 409794 TranslateMessage DispatchMessageA 6080->6082 6081->6049 6081->6052 6082->6080 6084 408dc8 2 API calls 6083->6084 6085 408e2a 6084->6085 6086 408e2e 6085->6086 6087 408e4a DeleteFileA GetLastError 6085->6087 6086->6063 6088 408e68 6087->6088 6089 408e04 Wow64RevertWow64FsRedirection 6088->6089 6090 408e70 6089->6090 6090->6063 6092 403566 6091->6092 6094 403578 6092->6094 6095 403604 6092->6095 6094->6076 6096 40357c 6095->6096 6097 4035a0 6096->6097 6100 4035b6 6096->6100 6103 40359b 6096->6103 6107 4035d0 6096->6107 6098 4035b1 6097->6098 6099 4035b8 6097->6099 6101 403198 4 API calls 6098->6101 6102 4031b8 4 API calls 6099->6102 6100->6092 6101->6100 6102->6100 6103->6097 6104 4035ec 6103->6104 6104->6100 6106 403554 4 API calls 6104->6106 6105 40357c 4 API calls 6105->6107 6106->6104 6107->6100 6107->6105 6408 402af2 6409 402afe 6408->6409 6412 402ed0 6409->6412 6413 403154 4 API calls 6412->6413 6415 402ee0 6413->6415 6414 402b03 6415->6414 6417 402b0c 6415->6417 6418 402b25 6417->6418 6419 402b15 RaiseException 6417->6419 6418->6414 6419->6418 6420 405af2 6422 405af4 6420->6422 6421 405b30 6425 405890 5 API calls 6421->6425 6422->6421 6423 405b47 6422->6423 6424 405b2a 6422->6424 6429 404c2c 5 API calls 6423->6429 6424->6421 6426 405b9c 6424->6426 6427 405b43 6425->6427 6428 405900 19 API calls 6426->6428 6431 403198 4 API calls 6427->6431 6428->6427 6430 405b70 6429->6430 6432 405900 19 API calls 6430->6432 6433 405bd6 6431->6433 6432->6427 6755 402dfa 6756 402e26 6755->6756 6757 402e0d 6755->6757 6759 402ba4 6757->6759 6760 402bc9 6759->6760 6761 402bad 6759->6761 6760->6756 6762 402bb5 RaiseException 6761->6762 6762->6760 6452 403a80 CloseHandle 6453 403a90 6452->6453 6454 403a91 GetLastError 6452->6454 6459 404283 6460 4042c3 6459->6460 6461 403154 4 API calls 6460->6461 6462 404323 6461->6462 6767 404185 6768 4041ff 6767->6768 6769 4041cc 6768->6769 6770 403154 4 API calls 6768->6770 6771 404323 6770->6771 6467 403e87 6468 403e4c 6467->6468 6469 403e67 6468->6469 6470 403e62 6468->6470 6471 403e7b 6468->6471 6474 403e78 6469->6474 6480 402674 6469->6480 6476 403cc8 6470->6476 6473 402674 4 API calls 6471->6473 6473->6474 6477 403cd6 6476->6477 6478 403ceb 6477->6478 6479 402674 4 API calls 6477->6479 6478->6469 6479->6478 6481 403154 4 API calls 6480->6481 6482 40267a 6481->6482 6482->6474 6483 40a088 6485 409ffa 6483->6485 6484 40a026 6487 40a03f 6484->6487 6490 40a039 RemoveDirectoryA 6484->6490 6485->6484 6486 409330 9 API calls 6485->6486 6486->6484 6488 40a053 6487->6488 6489 40a048 73A25CF0 6487->6489 6491 40a07b 6488->6491 6492 40357c 4 API calls 6488->6492 6489->6488 6490->6487 6493 40a071 6492->6493 6494 4025ac 4 API calls 6493->6494 6494->6491 6776 408d88 6779 408c58 6776->6779 6780 408c61 6779->6780 6781 403198 4 API calls 6780->6781 6782 408c6f 6780->6782 6781->6780 6495 40a08d 6496 40a096 6495->6496 6498 40a0c1 6495->6498 6505 4092a0 6496->6505 6499 403198 4 API calls 6498->6499 6501 40a0f9 6499->6501 6500 40a09b 6500->6498 6503 40a0b9 MessageBoxA 6500->6503 6502 403198 4 API calls 6501->6502 6504 40a101 6502->6504 6503->6498 6506 409307 ExitWindowsEx 6505->6506 6507 4092ac GetCurrentProcess OpenProcessToken 6505->6507 6509 4092be 6506->6509 6508 4092c2 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6507->6508 6507->6509 6508->6506 6508->6509 6509->6500 6514 408a92 6515 408a9b 6514->6515 6516 403198 4 API calls 6515->6516 6523 408b35 6516->6523 6517 408b60 6518 4031b8 4 API calls 6517->6518 6520 408be5 6518->6520 6519 408b4c 6522 4032fc 4 API calls 6519->6522 6521 403278 4 API calls 6521->6523 6522->6517 6523->6517 6523->6519 6523->6521 6524 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6523->6524 6524->6523 6525 403e95 6526 403e4c 6525->6526 6527 403e62 6526->6527 6528 403e7b 6526->6528 6532 403e67 6526->6532 6529 403cc8 4 API calls 6527->6529 6530 402674 4 API calls 6528->6530 6529->6532 6531 403e78 6530->6531 6532->6531 6533 402674 4 API calls 6532->6533 6533->6531 6534 403a97 6535 403aac 6534->6535 6536 403bbc GetStdHandle 6535->6536 6537 403b0e CreateFileA 6535->6537 6547 403ab2 6535->6547 6538 403c17 GetLastError 6536->6538 6542 403bba 6536->6542 6537->6538 6539 403b2c 6537->6539 6538->6547 6541 403b3b GetFileSize 6539->6541 6539->6542 6541->6538 6543 403b4e SetFilePointer 6541->6543 6544 403be7 GetFileType 6542->6544 6542->6547 6543->6538 6548 403b6a ReadFile 6543->6548 6546 403c02 CloseHandle 6544->6546 6544->6547 6546->6547 6548->6538 6549 403b8c 6548->6549 6549->6542 6550 403b9f SetFilePointer 6549->6550 6550->6538 6551 403bb0 SetEndOfFile 6550->6551 6551->6538 6551->6542 6795 4011aa 6796 4011ac GetStdHandle 6795->6796 6559 4028ac 6560 402594 4 API calls 6559->6560 6561 4028b6 6560->6561 6566 4050b0 6567 4050c3 6566->6567 6568 404da8 19 API calls 6567->6568 6569 4050d7 6568->6569 6574 401ab9 6575 401a96 6574->6575 6576 401aa9 RtlDeleteCriticalSection 6575->6576 6577 401a9f RtlLeaveCriticalSection 6575->6577 6577->6576

                                                                              Executed Functions

                                                                              Function 00409944 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 109 409944-409968 GetSystemInfo VirtualQuery 110 4099f8-4099ff 109->110 111 40996e 109->111 112 4099ed-4099f2 111->112 112->110 113 409970-409977 112->113 114 4099d9-4099eb VirtualQuery 113->114 115 409979-40997d 113->115 114->110 114->112 115->114 116 40997f-409987 115->116 117 409998-4099a9 VirtualProtect 116->117 118 409989-40998c 116->118 119 4099ab 117->119 120 4099ad-4099af 117->120 118->117 121 40998e-409991 118->121 119->120 122 4099be-4099c1 120->122 121->117 123 409993-409996 121->123 124 4099b1-4099ba call 40993c 122->124 125 4099c3-4099c5 122->125 123->117 123->120 124->122 125->114 127 4099c7-4099d4 VirtualProtect 125->127 127->114
                                                                              APIs
                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409956
                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409961
                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004099A2
                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004099D4
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 004099E4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                              • String ID:
                                                                              • API String ID: 2441996862-0
                                                                              • Opcode ID: 5705ee394a72ddd399e4027cfb053887e63c693988ca45339c41590f720f2ccb
                                                                              • Instruction ID: a6a75d5afacf98dda07d650d9392f85e94a9260a8e81f76dcb0e561c1d323dc9
                                                                              • Opcode Fuzzy Hash: 5705ee394a72ddd399e4027cfb053887e63c693988ca45339c41590f720f2ccb
                                                                              • Instruction Fuzzy Hash: BE21A1F12003006BD630AA598C85E5BB3D8DB46350F08492FFA86E23C3D739ED40C659
                                                                              Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                              • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                                                              • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                              • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                                                              Function 00408EFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A83), ref: 00408F1C
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F22
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A83), ref: 00408F36
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F3C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                                                              • Instruction ID: ef4badd54955bda93fd7c631ce084268f05c1d5093e10ec72b10b69b713a5d4b
                                                                              • Opcode Fuzzy Hash: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                                                              • Instruction Fuzzy Hash: D701F770108301EEE700BB72DE57B163A59D745718F60443FF248761C2CE7C4904CA2D
                                                                              Function 00409EED Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F37
                                                                              • SetWindowLongA.USER32(00020470,000000FC,0040972C), ref: 00409F4E
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A03A
                                                                              • 73A25CF0.USER32(00020470,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A04E
                                                                                • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,020A2EE4), ref: 004093B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateDirectoryErrorLastLongRemove
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 972923418-3001827809
                                                                              • Opcode ID: 356ba627585c3b8aeb63b7ec6763bf964542e42b5da9ee7fb4b831b47c6476ae
                                                                              • Instruction ID: b0b7cb5c84c11a902aa92c151bc7a473584df1d8a174dbb0272dab9361f09c30
                                                                              • Opcode Fuzzy Hash: 356ba627585c3b8aeb63b7ec6763bf964542e42b5da9ee7fb4b831b47c6476ae
                                                                              • Instruction Fuzzy Hash: ED414170A00205DBC715EBA9EE85B9E7BA5EF44304F10427BF550B72E2DB789801CB9D
                                                                              Function 00409EDB Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F37
                                                                              • SetWindowLongA.USER32(00020470,000000FC,0040972C), ref: 00409F4E
                                                                                • Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FBF,?), ref: 00406AD0
                                                                                • Part of subcall function 004097B8: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4,00000000,0040988B), ref: 00409828
                                                                                • Part of subcall function 004097B8: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4,00000000), ref: 0040983C
                                                                                • Part of subcall function 004097B8: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409855
                                                                                • Part of subcall function 004097B8: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409867
                                                                                • Part of subcall function 004097B8: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4), ref: 00409870
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A03A
                                                                              • 73A25CF0.USER32(00020470,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A04E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 978128352-3001827809
                                                                              • Opcode ID: 8adb2276f24502cdda7e1e25f51ffccaae98d0a235ff27fffbb48544401fc469
                                                                              • Instruction ID: f1d2162e6052a88f2f310f1910c468c6413901ad883113d8bc6822bbadce307d
                                                                              • Opcode Fuzzy Hash: 8adb2276f24502cdda7e1e25f51ffccaae98d0a235ff27fffbb48544401fc469
                                                                              • Instruction Fuzzy Hash: B7411C70A00205DFD715EBA9EE85B9A7BA5EB88304F10427BF510B72E2DB789801CB5D
                                                                              Function 004097B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4,00000000,0040988B), ref: 00409828
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4,00000000), ref: 0040983C
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409855
                                                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409867
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,020A2EE4,004098A4), ref: 00409870
                                                                                • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,020A2EE4), ref: 004093B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                              • String ID: D
                                                                              • API String ID: 3356880605-2746444292
                                                                              • Opcode ID: 3ff481d983818b20dfc2cef53ba7a084528a695c42936f0cbd91dc6a76799fc6
                                                                              • Instruction ID: d6342c5014be746473ae4a73a07d94ec33375df439d205700b32e47ef222c3c9
                                                                              • Opcode Fuzzy Hash: 3ff481d983818b20dfc2cef53ba7a084528a695c42936f0cbd91dc6a76799fc6
                                                                              • Instruction Fuzzy Hash: 381160B16102086EDB00FBE68C52F9EB7ACEF49714F50413ABA14F72C7DA785D008668
                                                                              Function 00409188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091CE
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                                                              • Instruction ID: b3c939f821d6d3b02d73a6ffc60c10d65ff6e2c1a1ef0f9f166dc2fc0ea9728e
                                                                              • Opcode Fuzzy Hash: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                                                              • Instruction Fuzzy Hash: 16214774A00209ABDB01EFA1C9429DFB7B9EB88304F50457FE501B73C2DA7C9E058BA5
                                                                              Function 00409C4D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CB1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp
                                                                              • API String ID: 2030045667-2986845003
                                                                              • Opcode ID: 0f82f1c4d759405840efd70fc318bbeb2c43fc543230e63a2822dd9ae4ce5900
                                                                              • Instruction ID: 241aa51b6908f2d1dddb6a0cd00689432b616bf1cdbe7f50cfb4de551c7d1b4f
                                                                              • Opcode Fuzzy Hash: 0f82f1c4d759405840efd70fc318bbeb2c43fc543230e63a2822dd9ae4ce5900
                                                                              • Instruction Fuzzy Hash: 2541E170604201DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D
                                                                              Function 00409C68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CB1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp
                                                                              • API String ID: 2030045667-2986845003
                                                                              • Opcode ID: 9303481059f97bee54f9b04abf88518633238788d527aa2b880329f942cd8582
                                                                              • Instruction ID: 6703d18eb847d6b61cc42f6542934489f35641dfe9846f309c432ed6b1daf27a
                                                                              • Opcode Fuzzy Hash: 9303481059f97bee54f9b04abf88518633238788d527aa2b880329f942cd8582
                                                                              • Instruction Fuzzy Hash: 7341C170600205DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D
                                                                              Function 00406EC4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 254 406ec4-406f17 SetErrorMode call 403414 LoadLibraryA
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406ECE
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406F18,?,00000000,00406F36,?,00008000), ref: 00406EFD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                                                              • Instruction ID: 5e20ffdb52ff7e8261d23daca573ea8644dcd49689b218f11c6781c5bce8f48d
                                                                              • Opcode Fuzzy Hash: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                                                              • Instruction Fuzzy Hash: D7F089705147047EDB119F769C6241ABBECD749B047534875F910A26D2E53C4C208568
                                                                              Function 00407544 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 258 407544-407562 ReadFile 259 407564-407568 258->259 260 40757b-407582 258->260 261 407574-407576 call 4073a4 259->261 262 40756a-407572 GetLastError 259->262 261->260 262->260 262->261
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040755B
                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040756A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastRead
                                                                              • String ID:
                                                                              • API String ID: 1948546556-0
                                                                              • Opcode ID: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                                                              • Instruction ID: 34e576fd7e6559e3ef6c853e67441063c40c11266019ec046b6cc2e4d5471cd5
                                                                              • Opcode Fuzzy Hash: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                                                              • Instruction Fuzzy Hash: ABE06DA1A081507AEB20965AAC85FAB66DC8BC5314F04417BF904DB282C678DC00C27A
                                                                              Function 00407584 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 264 407584-4075a9 SetFilePointer 265 4075bb-4075c0 264->265 266 4075ab-4075b2 GetLastError 264->266 266->265 267 4075b4-4075b6 call 4073a4 266->267 267->265
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075A3
                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075AB
                                                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020A03AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                                                              • Instruction ID: 1215520e40270bbf1c42edbfe5ddbfad2f0444ede1f1e4d22e24bec04403dad1
                                                                              • Opcode Fuzzy Hash: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                                                              • Instruction Fuzzy Hash: 6FE092B66081006BD700D55DC881A9B33DCDFC5364F044136BA54EB2C1D6B5EC008376
                                                                              Function 004074DC Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 269 4074dc-4074fd SetFilePointer 270 40750f-407511 269->270 271 4074ff-407506 GetLastError 269->271 271->270 272 407508-40750a call 4073a4 271->272 272->270
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004074F3
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004074FF
                                                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020A03AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                                                              • Instruction ID: 3a188f8a391a656106576682ef5fc0e36605e971047c99b326a67709d18e7f8b
                                                                              • Opcode Fuzzy Hash: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                                                              • Instruction Fuzzy Hash: B4E04FB1600210AFEB20EEB98981B9272D89F44364F0485B6EA14DF2C6D274DC00C766
                                                                              Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 332 401430-40143d 333 401446-40144c 332->333 334 40143f-401444 332->334 335 401452-40146a VirtualAlloc 333->335 334->335 336 40146c-40147a call 4012e4 335->336 337 40148f-401492 335->337 336->337 340 40147c-40148d VirtualFree 336->340 340->337
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                              Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                                                • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                                                • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                              • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                                                              • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                              • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                                                              Function 004068B4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrev
                                                                              • String ID:
                                                                              • API String ID: 122130370-0
                                                                              • Opcode ID: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                                                              • Instruction ID: 028ce23b60034aad2079abf39c8673be77ca980571763ae766079fdae63e366f
                                                                              • Opcode Fuzzy Hash: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                                                              • Instruction Fuzzy Hash: 59F0BE523019341BC6117A7F18815AFA7888B86709752417FF506FB382DE3EAE6352AE
                                                                              Function 0040748E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                              • Opcode Fuzzy Hash: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                              Function 00407490 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                              • Opcode Fuzzy Hash: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                              Function 00406918 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004068B4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406960,?,?,?,?,00000000,?,00406975,00406CA3,00000000,00406CE8,?,?,?), ref: 00406943
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesCharFilePrev
                                                                              • String ID:
                                                                              • API String ID: 4082512850-0
                                                                              • Opcode ID: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                                                              • Instruction ID: 89044d1ea86e4fdb03922753e0a58770fdf95516ab6f2bcb8662fa4781c06fed
                                                                              • Opcode Fuzzy Hash: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                                                              • Instruction Fuzzy Hash: 04E09B713043047FD701EFB2DD53E59B7ECD789704B524476B501F7682D5785E108468
                                                                              Function 004075E0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004075F7
                                                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020A03AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastWrite
                                                                              • String ID:
                                                                              • API String ID: 442123175-0
                                                                              • Opcode ID: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                                                              • Instruction ID: cd18fb99e22355188e9d2f817127a110343b64b119c62ac1cd4bac3fbb067e43
                                                                              • Opcode Fuzzy Hash: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                                                              • Instruction Fuzzy Hash: 66E06D726081106BEB10A65ED880E6B67DCCFC6364F04447BBA04EB241C575AC0096B6
                                                                              Function 004071A8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408F7F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95), ref: 004071C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                                                              • Instruction ID: 5be2c53bb0bc0b7205463fa080de9070734fc39b970025fcf129f6524892d52e
                                                                              • Opcode Fuzzy Hash: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                                                              • Instruction Fuzzy Hash: F8E0D8B179830135F22500A44C87B76160E4780700F20403A3B10EE3D2D9BEA50A415F
                                                                              Function 004075C4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,020C4000,00409E92,00000000), ref: 004075CB
                                                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020A03AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                                                              • Instruction ID: 3dced8f94abca6fd64a7c9696b134c452ef52fe1396460a469a389ba9e9200de
                                                                              • Opcode Fuzzy Hash: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                                                              • Instruction Fuzzy Hash: 78C04CA160410057DB50A7BE8AC2A0672D85F5820430441B6B908DB287D678EC009615
                                                                              Function 00406F1F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                                                              • Instruction ID: f94a5d2238f2ee5303b4d558b5d93000027bb0092eeb8c65c9d9a83f01a259cd
                                                                              • Opcode Fuzzy Hash: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                                                              • Instruction Fuzzy Hash: A4B09BB661C2015DE705DAD5745153863D4D7C47103E14577F114D25C0D53C94154518
                                                                              Function 00406F3B Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                                                              • Instruction ID: 8ce709a7dcc0858879a49907ae7d49f16bd3fabbd46d8b550b3201db24fc95e8
                                                                              • Opcode Fuzzy Hash: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                                                              • Instruction Fuzzy Hash: 46A022B8C00003B2CE80E2F08080A3C23282A883003C00AA2320EB2080C23EC0000A0A
                                                                              Function 00407DB4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E44
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                                                              • Instruction ID: e346e479d4e19dc6fbf4ec70e04c611644565a823529d475df5ed673f567dbda
                                                                              • Opcode Fuzzy Hash: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                                                              • Instruction Fuzzy Hash: 521172716082059BDB10FF19C881B5B3794AF84359F04847AF958AB3C6DA38EC008B6B
                                                                              Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                              Function 00407460 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                                                              • Instruction ID: 0a303eee8e17872e34e3f08f3f74197a254d67d3e0467507f6d8b9a4d6bdce8a
                                                                              • Opcode Fuzzy Hash: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                                                              • Instruction Fuzzy Hash: 9FD0A7C1B00A6017D315F6BF498865B96C85F88685F08843BF684E73D1D67CAC00C3CD
                                                                              Function 00407D5C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E3A), ref: 00407D73
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                                                              • Instruction ID: 987a95dec6bedafdacc6f30d71d69a0298e18a8a9a30f6cccb61f0e346f0d057
                                                                              • Opcode Fuzzy Hash: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                                                              • Instruction Fuzzy Hash: 6FD0E9B17557045BDB90EEB94CC1B1237D97F48600F5044B66904EB296E674E800D614

                                                                              Non-executed Functions

                                                                              Function 004092A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004092AF
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004092B5
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004092CE
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092F5
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092FA
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040930B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                                                              • Instruction ID: 46e638963846eb8b1a8eef1e5041d40b59806408d3aca7422040dec9ba119927
                                                                              • Opcode Fuzzy Hash: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                                                              • Instruction Fuzzy Hash: 3FF012B079430276E620AAB58D07F6B62885BC5B48F50493EBA51FA1D3D7BCD8044A6E
                                                                              Function 00409A00 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409A0A
                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 00409A1D
                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB,?,00000000), ref: 00409A2F
                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB), ref: 00409A40
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: 58fc42bb53a486e047bd3b1a9e6cb875a544f9bb80df9a72ae90c90d8efe33fe
                                                                              • Instruction ID: ae0cc58948cf96eec5457f4820dc726c6d2182020e22fda74881949f5e0d997e
                                                                              • Opcode Fuzzy Hash: 58fc42bb53a486e047bd3b1a9e6cb875a544f9bb80df9a72ae90c90d8efe33fe
                                                                              • Instruction Fuzzy Hash: FAE07E9176538225FA6036FB08C3B2E010C4BA675DF04503BBB04792D3EEBC8C04452E
                                                                              Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                              • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                                                              • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                              • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: SystemTime
                                                                              • String ID:
                                                                              • API String ID: 2656138-0
                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                              Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409A74), ref: 00405C52
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Version
                                                                              • String ID:
                                                                              • API String ID: 1889659487-0
                                                                              • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                              • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                                                              • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                              • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                                                              Function 004082E8 Relevance: .5, Instructions: 545COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction ID: bf64fe3dbf7489daa5b396f442bfdc43c732794851cc1dd68f6a4bedb61b4a1f
                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction Fuzzy Hash: 7F32E875E00219DFCB14CF99CA80A9DB7B2BF88314F24816AD855B7395DB34AE42CF54
                                                                              Function 00406F48 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406F71
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406F77
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406FC5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-2401316094
                                                                              • Opcode ID: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                                                              • Instruction ID: 82a514a35929d101a3f87db01d263b67a2005a07a92a8f1bbb0e3c876c3699bd
                                                                              • Opcode Fuzzy Hash: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                                                              • Instruction Fuzzy Hash: F3214130E44209AFDB10EAA1CC56B9F77B8AB44304F60857BA605F72C1D77CAA05C79E
                                                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                              Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                                                • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                              • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                                                              • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                              • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                                                              Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                              • LocalFree.KERNEL32(0054FC60,00000000,00401AB4), ref: 00401A1B
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,0054FC60,00000000,00401AB4), ref: 00401A3A
                                                                              • LocalFree.KERNEL32(0054ED10,?,00000000,00008000,0054FC60,00000000,00401AB4), ref: 00401A79
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID:
                                                                              • API String ID: 3782394904-0
                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                              Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                              • API String ID: 1220098344-1503883590
                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                              • Opcode Fuzzy Hash: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                              Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,00409A6A), ref: 004030E3
                                                                              • GetCommandLineA.KERNEL32(00000000,00409A6A), ref: 004030EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CommandHandleLineModule
                                                                              • String ID: U1hd.@$%S
                                                                              • API String ID: 2123368496-2288993992
                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                              Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 730355536-0
                                                                              • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                              • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                              Function 00409330 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040934F
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040935F
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 00409372
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040937C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2944710397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2944688473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944728745.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2944753017.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                                                              • Instruction ID: e54841d902c556b0a825a3a9b48dc11fcb5fd53647a295a33fe7abc41a02d5de
                                                                              • Opcode Fuzzy Hash: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                                                              • Instruction Fuzzy Hash: C6F0B472A0031497CB34A5EF9986A6F628DEADA768710403BFD04F73C3D538DD014AAD

                                                                              Execution Graph

                                                                              Execution Coverage:16.1%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:5.7%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:51
                                                                              execution_graph 52714 440a24 52715 440a2d 52714->52715 52716 440a3b WriteFile 52714->52716 52715->52716 52717 440a46 52716->52717 47411 402584 47412 402598 47411->47412 47413 4025ab 47411->47413 47441 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47412->47441 47415 4025c2 RtlEnterCriticalSection 47413->47415 47416 4025cc 47413->47416 47415->47416 47427 4023b4 13 API calls 47416->47427 47417 40259d 47417->47413 47419 4025a1 47417->47419 47420 4025d5 47422 4025d9 47420->47422 47428 402088 47420->47428 47423 402635 47422->47423 47424 40262b RtlLeaveCriticalSection 47422->47424 47424->47423 47425 4025e5 47425->47422 47442 402210 9 API calls 47425->47442 47427->47420 47429 40209c 47428->47429 47430 4020af 47428->47430 47449 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47429->47449 47432 4020c6 RtlEnterCriticalSection 47430->47432 47435 4020d0 47430->47435 47432->47435 47433 4020a1 47433->47430 47434 4020a5 47433->47434 47438 402106 47434->47438 47435->47438 47443 401f94 47435->47443 47438->47425 47439 4021f1 RtlLeaveCriticalSection 47440 4021fb 47439->47440 47440->47425 47441->47417 47442->47422 47444 401fa4 47443->47444 47445 401fd0 47444->47445 47448 401ff4 47444->47448 47450 401f0c 47444->47450 47445->47448 47455 401db4 47445->47455 47448->47439 47448->47440 47449->47433 47459 40178c 47450->47459 47453 401f29 47453->47444 47456 401dd2 47455->47456 47457 401e02 47455->47457 47456->47448 47457->47456 47482 401d1c 47457->47482 47460 4017a8 47459->47460 47462 4017b2 47460->47462 47464 40180f 47460->47464 47467 401803 47460->47467 47470 4014e4 47460->47470 47479 4013e0 LocalAlloc 47460->47479 47478 401678 VirtualAlloc 47462->47478 47464->47453 47469 401e80 9 API calls 47464->47469 47466 4017be 47466->47464 47480 4015c0 VirtualFree 47467->47480 47469->47453 47471 4014f3 VirtualAlloc 47470->47471 47473 401520 47471->47473 47474 401543 47471->47474 47481 401398 LocalAlloc 47473->47481 47474->47460 47476 40152c 47476->47474 47477 401530 VirtualFree 47476->47477 47477->47474 47478->47466 47479->47460 47480->47464 47481->47476 47483 401d2e 47482->47483 47484 401d51 47483->47484 47485 401d63 47483->47485 47495 401940 47484->47495 47487 401940 3 API calls 47485->47487 47488 401d61 47487->47488 47489 401d79 47488->47489 47505 401bf8 9 API calls 47488->47505 47489->47456 47491 401d88 47492 401da2 47491->47492 47506 401c4c 9 API calls 47491->47506 47507 401454 LocalAlloc 47492->47507 47496 4019bf 47495->47496 47497 401966 47495->47497 47496->47488 47508 40170c 47497->47508 47501 401983 47502 40199a 47501->47502 47513 4015c0 VirtualFree 47501->47513 47502->47496 47514 401454 LocalAlloc 47502->47514 47505->47491 47506->47492 47507->47489 47509 401743 47508->47509 47510 401783 47509->47510 47511 40175d VirtualFree 47509->47511 47512 4013e0 LocalAlloc 47510->47512 47511->47509 47512->47501 47513->47502 47514->47496 52718 488b2c 52719 488b66 52718->52719 52720 488b68 52719->52720 52721 488b72 52719->52721 52917 409028 MessageBeep 52720->52917 52723 488baa 52721->52723 52724 488b81 52721->52724 52729 488bb9 52723->52729 52730 488be2 52723->52730 52726 446668 18 API calls 52724->52726 52725 403420 4 API calls 52727 4891be 52725->52727 52728 488b8e 52726->52728 52731 403400 4 API calls 52727->52731 52918 406b40 52728->52918 52733 446668 18 API calls 52729->52733 52739 488c1a 52730->52739 52740 488bf1 52730->52740 52734 4891c6 52731->52734 52736 488bc6 52733->52736 52926 406b90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52736->52926 52745 488c29 52739->52745 52749 488c42 52739->52749 52742 446668 18 API calls 52740->52742 52741 488bd1 52927 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52741->52927 52744 488bfe 52742->52744 52928 406bc4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52744->52928 52930 407210 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 52745->52930 52747 488c09 52929 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52747->52929 52754 488c51 52749->52754 52755 488c76 52749->52755 52751 488c31 52931 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52751->52931 52752 488b6d 52752->52725 52756 446668 18 API calls 52754->52756 52759 488cae 52755->52759 52760 488c85 52755->52760 52757 488c5e 52756->52757 52758 407238 SetCurrentDirectoryA 52757->52758 52761 488c66 52758->52761 52765 488cbd 52759->52765 52766 488ce6 52759->52766 52762 446668 18 API calls 52760->52762 52932 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52761->52932 52764 488c92 52762->52764 52767 42c6ec 5 API calls 52764->52767 52768 446668 18 API calls 52765->52768 52773 488d32 52766->52773 52774 488cf5 52766->52774 52769 488c9d 52767->52769 52770 488cca 52768->52770 52933 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52769->52933 52934 407188 8 API calls 52770->52934 52779 488d6a 52773->52779 52780 488d41 52773->52780 52776 446668 18 API calls 52774->52776 52775 488cd5 52935 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52775->52935 52778 488d04 52776->52778 52781 446668 18 API calls 52778->52781 52786 488d79 52779->52786 52787 488da2 52779->52787 52783 446668 18 API calls 52780->52783 52782 488d15 52781->52782 52936 488830 9 API calls 52782->52936 52785 488d4e 52783->52785 52789 42c78c 5 API calls 52785->52789 52790 446668 18 API calls 52786->52790 52796 488dda 52787->52796 52797 488db1 52787->52797 52788 488d21 52937 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52788->52937 52792 488d59 52789->52792 52793 488d86 52790->52793 52938 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52792->52938 52795 42c7b4 5 API calls 52793->52795 52798 488d91 52795->52798 52802 488de9 52796->52802 52803 488e12 52796->52803 52799 446668 18 API calls 52797->52799 52939 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52798->52939 52801 488dbe 52799->52801 52940 42c7e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52801->52940 52806 446668 18 API calls 52802->52806 52809 488e4a 52803->52809 52810 488e21 52803->52810 52805 488dc9 52941 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52805->52941 52808 488df6 52806->52808 52811 42c814 5 API calls 52808->52811 52817 488e59 52809->52817 52818 488e96 52809->52818 52812 446668 18 API calls 52810->52812 52813 488e01 52811->52813 52814 488e2e 52812->52814 52942 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52813->52942 52816 42c83c 5 API calls 52814->52816 52819 488e39 52816->52819 52820 446668 18 API calls 52817->52820 52823 488ee8 52818->52823 52824 488ea5 52818->52824 52943 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52819->52943 52822 488e68 52820->52822 52825 446668 18 API calls 52822->52825 52831 488f5b 52823->52831 52832 488ef7 52823->52832 52826 446668 18 API calls 52824->52826 52827 488e79 52825->52827 52828 488eb8 52826->52828 52944 42c438 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52827->52944 52833 446668 18 API calls 52828->52833 52830 488e85 52945 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52830->52945 52839 488f9a 52831->52839 52840 488f6a 52831->52840 52906 446668 52832->52906 52836 488ec9 52833->52836 52946 488a28 12 API calls 52836->52946 52851 488fd9 52839->52851 52852 488fa9 52839->52852 52843 446668 18 API calls 52840->52843 52841 42c538 8 API calls 52844 488f12 52841->52844 52842 488ed7 52947 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52842->52947 52846 488f77 52843->52846 52847 488f4b 52844->52847 52848 488f16 52844->52848 52950 450f04 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 52846->52950 52949 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52847->52949 52850 446668 18 API calls 52848->52850 52855 488f25 52850->52855 52861 489018 52851->52861 52862 488fe8 52851->52862 52856 446668 18 API calls 52852->52856 52854 488f84 52951 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52854->52951 52910 45127c 52855->52910 52857 488fb6 52856->52857 52860 450d6c 5 API calls 52857->52860 52865 488fc3 52860->52865 52870 489060 52861->52870 52871 489027 52861->52871 52866 446668 18 API calls 52862->52866 52863 488f95 52863->52752 52864 488f35 52948 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52864->52948 52952 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52865->52952 52869 488ff5 52866->52869 52953 45140c Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 52869->52953 52878 4890a8 52870->52878 52879 48906f 52870->52879 52873 446668 18 API calls 52871->52873 52875 489036 52873->52875 52874 489002 52954 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52874->52954 52877 446668 18 API calls 52875->52877 52880 489047 52877->52880 52884 4890bb 52878->52884 52890 489171 52878->52890 52881 446668 18 API calls 52879->52881 52955 4468e8 52880->52955 52882 48907e 52881->52882 52883 446668 18 API calls 52882->52883 52885 48908f 52883->52885 52887 446668 18 API calls 52884->52887 52891 4468e8 5 API calls 52885->52891 52888 4890e8 52887->52888 52889 446668 18 API calls 52888->52889 52892 4890ff 52889->52892 52890->52752 52964 44660c 18 API calls 52890->52964 52891->52752 52961 407d6c 7 API calls 52892->52961 52894 48918a 52895 42e650 5 API calls 52894->52895 52896 489192 52895->52896 52965 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52896->52965 52899 489121 52900 446668 18 API calls 52899->52900 52901 489135 52900->52901 52962 408498 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52901->52962 52903 489140 52963 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52903->52963 52905 48914c 52907 446670 52906->52907 52966 435708 52907->52966 52909 44668f 52909->52841 52911 450d20 2 API calls 52910->52911 52913 451295 52911->52913 52912 451299 52912->52864 52913->52912 52914 4512bd MoveFileA GetLastError 52913->52914 52915 450d5c Wow64RevertWow64FsRedirection 52914->52915 52916 4512e3 52915->52916 52916->52864 52917->52752 52919 406b4f 52918->52919 52920 406b71 52919->52920 52921 406b68 52919->52921 52923 403778 4 API calls 52920->52923 52922 403400 4 API calls 52921->52922 52924 406b6f 52922->52924 52923->52924 52925 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52924->52925 52925->52752 52926->52741 52927->52752 52928->52747 52929->52752 52930->52751 52931->52752 52932->52752 52933->52752 52934->52775 52935->52752 52936->52788 52937->52752 52938->52752 52939->52752 52940->52805 52941->52752 52942->52752 52943->52752 52944->52830 52945->52752 52946->52842 52947->52752 52948->52752 52949->52752 52950->52854 52951->52863 52952->52752 52953->52874 52954->52752 52956 4468f0 52955->52956 52989 435a70 VariantClear 52956->52989 52958 446913 52959 44692a 52958->52959 52990 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52958->52990 52959->52752 52961->52899 52962->52903 52963->52905 52964->52894 52965->52752 52967 435714 52966->52967 52968 435736 52966->52968 52967->52968 52986 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52967->52986 52969 4357b9 52968->52969 52971 4357a1 52968->52971 52972 435789 52968->52972 52973 43577d 52968->52973 52974 4357ad 52968->52974 52985 435795 52968->52985 52988 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52969->52988 52979 403494 4 API calls 52971->52979 52978 403510 4 API calls 52972->52978 52977 403510 4 API calls 52973->52977 52987 4040e8 18 API calls 52974->52987 52982 435786 52977->52982 52984 435792 52978->52984 52980 4357aa 52979->52980 52980->52909 52981 4357b6 52981->52909 52982->52909 52983 4357ca 52983->52909 52984->52909 52985->52909 52986->52968 52987->52981 52988->52983 52989->52958 52990->52959 47515 416584 73A25CF0 47516 40ce88 47517 40ce95 47516->47517 47518 40ce9a 47516->47518 47520 406ed8 CloseHandle 47517->47520 47520->47518 47521 48fb00 47575 403344 47521->47575 47523 48fb0e 47578 4056a0 47523->47578 47525 48fb13 47581 4098dc 47525->47581 47838 4032fc 47575->47838 47577 403349 GetModuleHandleA GetCommandLineA 47577->47523 47580 4056db 47578->47580 47839 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47578->47839 47580->47525 47840 408fb4 47581->47840 47838->47577 47839->47580 47912 408c4c 47840->47912 47843 40856c GetSystemDefaultLCID 47847 4085a2 47843->47847 47844 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 47844->47847 47845 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47845->47847 47846 406d7c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47846->47847 47847->47844 47847->47845 47847->47846 47851 408604 47847->47851 47848 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47848->47851 47849 406d7c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47849->47851 47850 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 47850->47851 47851->47848 47851->47849 47851->47850 47852 408687 47851->47852 47953 403420 47852->47953 47855 4086b0 GetSystemDefaultLCID 47957 4084f8 GetLocaleInfoA 47855->47957 47858 403450 4 API calls 47859 4086f0 47858->47859 47860 4084f8 5 API calls 47859->47860 47861 408705 47860->47861 47862 4084f8 5 API calls 47861->47862 47863 408729 47862->47863 47963 408544 GetLocaleInfoA 47863->47963 47866 408544 GetLocaleInfoA 47867 408759 47866->47867 47868 4084f8 5 API calls 47867->47868 47869 408773 47868->47869 47870 408544 GetLocaleInfoA 47869->47870 47871 408790 47870->47871 47872 4084f8 5 API calls 47871->47872 47873 4087aa 47872->47873 47874 403450 4 API calls 47873->47874 47875 4087b7 47874->47875 47876 4084f8 5 API calls 47875->47876 47877 4087cc 47876->47877 47878 403450 4 API calls 47877->47878 47879 4087d9 47878->47879 47880 408544 GetLocaleInfoA 47879->47880 47881 4087e7 47880->47881 47882 4084f8 5 API calls 47881->47882 47883 408801 47882->47883 47884 403450 4 API calls 47883->47884 47885 40880e 47884->47885 47886 4084f8 5 API calls 47885->47886 47887 408823 47886->47887 47888 403450 4 API calls 47887->47888 47889 408830 47888->47889 47890 4084f8 5 API calls 47889->47890 47891 408845 47890->47891 47892 408862 47891->47892 47893 408853 47891->47893 47895 403494 4 API calls 47892->47895 47971 403494 47893->47971 47896 408860 47895->47896 47897 4084f8 5 API calls 47896->47897 47898 408884 47897->47898 47899 4088a1 47898->47899 47900 408892 47898->47900 47902 403400 4 API calls 47899->47902 47901 403494 4 API calls 47900->47901 47903 40889f 47901->47903 47902->47903 47965 403634 47903->47965 47913 408c58 47912->47913 47920 406d7c LoadStringA 47913->47920 47933 4034e0 47920->47933 47923 403450 47924 403454 47923->47924 47926 403464 47923->47926 47924->47926 47927 4034bc 4 API calls 47924->47927 47925 403490 47929 403400 47925->47929 47926->47925 47948 402660 47926->47948 47927->47926 47930 403406 47929->47930 47931 40341f 47929->47931 47930->47931 47932 402660 4 API calls 47930->47932 47931->47843 47932->47931 47938 4034bc 47933->47938 47935 4034f0 47936 403400 4 API calls 47935->47936 47937 403508 47936->47937 47937->47923 47939 4034c0 47938->47939 47940 4034dc 47938->47940 47943 402648 47939->47943 47940->47935 47942 4034c9 47942->47935 47944 40264c 47943->47944 47945 402656 47943->47945 47944->47945 47947 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47944->47947 47945->47942 47945->47945 47947->47945 47949 402664 47948->47949 47950 40266e 47948->47950 47949->47950 47952 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47949->47952 47950->47925 47950->47950 47952->47950 47955 403426 47953->47955 47954 40344b 47954->47855 47955->47954 47956 402660 4 API calls 47955->47956 47956->47955 47958 408531 47957->47958 47959 40851f 47957->47959 47961 403494 4 API calls 47958->47961 47960 4034e0 4 API calls 47959->47960 47962 40852f 47960->47962 47961->47962 47962->47858 47964 408560 47963->47964 47964->47866 47966 40363c 47965->47966 47967 4034bc 4 API calls 47966->47967 47968 40364f 47967->47968 47969 403450 4 API calls 47968->47969 47970 403677 47969->47970 47973 403498 47971->47973 47972 4034ba 47972->47896 47973->47972 47974 402660 4 API calls 47973->47974 47974->47972 52991 42e22b SetErrorMode 52992 41edec 52993 41ee31 52992->52993 52994 41edfb IsWindowVisible 52992->52994 52994->52993 52995 41ee05 IsWindowEnabled 52994->52995 52995->52993 52996 41ee0f 52995->52996 52997 402648 4 API calls 52996->52997 52998 41ee19 EnableWindow 52997->52998 52998->52993 50120 42eccc 50121 42ecd7 50120->50121 50122 42ecdb NtdllDefWindowProc_A 50120->50122 50122->50121 50123 478d57 50124 450130 5 API calls 50123->50124 50125 478d6b 50124->50125 50126 477ecc 23 API calls 50125->50126 50127 478d8f 50126->50127 50128 44a5d4 50129 44a5da 50128->50129 50130 4158e4 7 API calls 50129->50130 50131 44a5ef 50130->50131 50132 44a784 9 API calls 50131->50132 50133 44a626 50132->50133 52999 41faf0 53000 41faf9 52999->53000 53003 41fd94 53000->53003 53002 41fb06 53004 41fe86 53003->53004 53005 41fdab 53003->53005 53004->53002 53005->53004 53024 41f954 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53005->53024 53007 41fde1 53008 41fde5 53007->53008 53009 41fe0b 53007->53009 53025 41fb34 53008->53025 53034 41f954 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53009->53034 53013 41fe19 53015 41fe43 53013->53015 53016 41fe1d 53013->53016 53014 41fb34 10 API calls 53018 41fe09 53014->53018 53017 41fb34 10 API calls 53015->53017 53019 41fb34 10 API calls 53016->53019 53020 41fe55 53017->53020 53018->53002 53021 41fe2f 53019->53021 53022 41fb34 10 API calls 53020->53022 53023 41fb34 10 API calls 53021->53023 53022->53018 53023->53018 53024->53007 53026 41fb4f 53025->53026 53027 41fb65 53026->53027 53028 41f8d4 4 API calls 53026->53028 53035 41f8d4 53027->53035 53028->53027 53030 41fbad 53031 41fbd0 SetScrollInfo 53030->53031 53043 41fa34 53031->53043 53034->53013 53036 418178 53035->53036 53037 41f8f1 GetWindowLongA 53036->53037 53038 41f92e 53037->53038 53039 41f90e 53037->53039 53055 41f860 GetWindowLongA GetSystemMetrics GetSystemMetrics 53038->53055 53054 41f860 GetWindowLongA GetSystemMetrics GetSystemMetrics 53039->53054 53042 41f91a 53042->53030 53044 41fa42 53043->53044 53045 41fa4a 53043->53045 53044->53014 53046 41fa89 53045->53046 53047 41fa79 53045->53047 53053 41fa87 53045->53053 53057 417de0 IsWindowVisible ScrollWindow SetWindowPos 53046->53057 53056 417de0 IsWindowVisible ScrollWindow SetWindowPos 53047->53056 53048 41fac9 GetScrollPos 53048->53044 53051 41fad4 53048->53051 53052 41fae3 SetScrollPos 53051->53052 53052->53044 53053->53048 53054->53042 53055->53042 53056->53053 53057->53053 53058 420530 53059 420543 53058->53059 53079 415ac8 53059->53079 53061 42068a 53062 4206a1 53061->53062 53086 41466c KiUserCallbackDispatcher 53061->53086 53066 4206b8 53062->53066 53087 4146b0 KiUserCallbackDispatcher 53062->53087 53063 42057e 53063->53061 53064 4205e9 53063->53064 53072 4205da MulDiv 53063->53072 53084 4207e0 20 API calls 53064->53084 53067 4206da 53066->53067 53088 41fff8 12 API calls 53066->53088 53070 420602 53070->53061 53085 41fff8 12 API calls 53070->53085 53083 41a29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53072->53083 53075 42061f 53076 42063b MulDiv 53075->53076 53077 42065e 53075->53077 53076->53077 53077->53061 53078 420667 MulDiv 53077->53078 53078->53061 53080 415ada 53079->53080 53089 414408 53080->53089 53082 415af2 53082->53063 53083->53064 53084->53070 53085->53075 53086->53062 53087->53066 53088->53067 53090 414422 53089->53090 53093 4105e0 53090->53093 53092 414438 53092->53082 53096 40de2c 53093->53096 53095 4105e6 53095->53092 53097 40de8e 53096->53097 53098 40de3f 53096->53098 53103 40de9c 53097->53103 53101 40de9c 19 API calls 53098->53101 53102 40de69 53101->53102 53102->53095 53104 40deac 53103->53104 53106 40dec2 53104->53106 53115 40d768 53104->53115 53135 40e224 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53104->53135 53118 40e0d4 53106->53118 53109 40d768 5 API calls 53110 40deca 53109->53110 53110->53109 53111 40df36 53110->53111 53121 40dce8 53110->53121 53113 40e0d4 5 API calls 53111->53113 53114 40de98 53113->53114 53114->53095 53116 40eb90 5 API calls 53115->53116 53117 40d772 53116->53117 53117->53104 53136 40d644 53118->53136 53122 40e0dc 5 API calls 53121->53122 53123 40dd1b 53122->53123 53124 40eaf4 5 API calls 53123->53124 53125 40dd26 53124->53125 53126 40eaf4 5 API calls 53125->53126 53127 40dd31 53126->53127 53128 40dd43 53127->53128 53129 40dd4c 53127->53129 53134 40dd49 53127->53134 53148 40dc50 19 API calls 53128->53148 53145 40db60 53129->53145 53132 403420 4 API calls 53133 40de17 53132->53133 53133->53110 53134->53132 53135->53104 53137 40eb90 5 API calls 53136->53137 53138 40d651 53137->53138 53139 40d664 53138->53139 53143 40ec94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53138->53143 53139->53110 53141 40d65f 53144 40d5e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53141->53144 53143->53141 53144->53139 53149 40ad04 19 API calls 53145->53149 53147 40db88 53147->53134 53148->53134 53149->53147 50134 4135d4 SetWindowLongA GetWindowLongA 50135 413631 SetPropA SetPropA 50134->50135 50136 413613 GetWindowLongA 50134->50136 50140 41f334 50135->50140 50136->50135 50137 413622 SetWindowLongA 50136->50137 50137->50135 50145 423a1c 50140->50145 50152 415208 50140->50152 50159 423ba4 50140->50159 50141 413681 50146 423aa5 50145->50146 50147 423a2c 50145->50147 50146->50141 50147->50146 50148 423a32 EnumWindows 50147->50148 50148->50146 50149 423a4e GetWindow GetWindowLongA 50148->50149 50253 4239b4 GetWindow 50148->50253 50150 423a6d 50149->50150 50150->50146 50151 423a99 SetWindowPos 50150->50151 50151->50146 50151->50150 50153 415215 50152->50153 50154 415270 50153->50154 50155 41527b 50153->50155 50158 415279 50153->50158 50154->50158 50257 414ff4 46 API calls 50154->50257 50256 424b24 13 API calls 50155->50256 50158->50141 50164 423bda 50159->50164 50162 423c84 50165 423c8b 50162->50165 50166 423cbf 50162->50166 50163 423c25 50167 423c2b 50163->50167 50168 423ce8 50163->50168 50193 423bfb 50164->50193 50258 423b00 50164->50258 50169 423c91 50165->50169 50223 423f49 50165->50223 50171 424032 IsIconic 50166->50171 50172 423cca 50166->50172 50170 423c30 50167->50170 50191 423c5d 50167->50191 50173 423d03 50168->50173 50174 423cfa 50168->50174 50175 423eab SendMessageA 50169->50175 50192 423c9f 50169->50192 50177 423c36 50170->50177 50178 423d8e 50170->50178 50176 424046 GetFocus 50171->50176 50171->50193 50179 423cd3 50172->50179 50180 42406e 50172->50180 50267 42412c 11 API calls 50173->50267 50181 423d10 50174->50181 50182 423d01 50174->50182 50175->50193 50187 424057 50176->50187 50176->50193 50188 423db6 PostMessageA 50177->50188 50189 423c3f 50177->50189 50272 423b1c NtdllDefWindowProc_A 50178->50272 50185 424085 50179->50185 50194 423c58 50179->50194 50289 4247e8 WinHelpA PostMessageA 50180->50289 50186 424174 11 API calls 50181->50186 50268 423b1c NtdllDefWindowProc_A 50182->50268 50201 4240a3 50185->50201 50202 42408e 50185->50202 50186->50193 50288 41ef8c GetCurrentThreadId 73A25940 50187->50288 50273 423b1c NtdllDefWindowProc_A 50188->50273 50198 423c48 50189->50198 50199 423e3d 50189->50199 50191->50193 50203 423c76 50191->50203 50204 423dd7 50191->50204 50192->50193 50192->50194 50233 423eee 50192->50233 50193->50141 50194->50193 50266 423b1c NtdllDefWindowProc_A 50194->50266 50207 423c51 50198->50207 50208 423d66 IsIconic 50198->50208 50209 423e46 50199->50209 50210 423e77 50199->50210 50200 423dd1 50200->50193 50290 4244c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50201->50290 50211 42446c 5 API calls 50202->50211 50203->50194 50212 423da3 50203->50212 50262 423b1c NtdllDefWindowProc_A 50204->50262 50206 42405e 50206->50193 50220 424066 SetFocus 50206->50220 50207->50194 50221 423d29 50207->50221 50214 423d82 50208->50214 50215 423d76 50208->50215 50275 423aac LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50209->50275 50263 423b1c NtdllDefWindowProc_A 50210->50263 50211->50193 50218 424110 12 API calls 50212->50218 50271 423b1c NtdllDefWindowProc_A 50214->50271 50270 423b58 15 API calls 50215->50270 50218->50193 50219 423ddd 50228 423e1b 50219->50228 50229 423df9 50219->50229 50220->50193 50221->50193 50269 422be4 ShowWindow PostMessageA PostQuitMessage 50221->50269 50223->50193 50224 423f6f IsWindowEnabled 50223->50224 50224->50193 50231 423f7d 50224->50231 50227 423e7d 50232 423e95 50227->50232 50264 41ee3c GetCurrentThreadId 73A25940 50227->50264 50235 423a1c 6 API calls 50228->50235 50274 423aac LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50229->50274 50230 423e4e 50237 423e60 50230->50237 50276 41eef0 50230->50276 50245 423f84 IsWindowVisible 50231->50245 50240 423a1c 6 API calls 50232->50240 50233->50193 50241 423f10 IsWindowEnabled 50233->50241 50243 423e23 PostMessageA 50235->50243 50282 423b1c NtdllDefWindowProc_A 50237->50282 50240->50193 50241->50193 50246 423f1e 50241->50246 50242 423e01 PostMessageA 50242->50193 50243->50193 50245->50193 50247 423f92 GetFocus 50245->50247 50283 4122a8 7 API calls 50246->50283 50284 418178 50247->50284 50250 423fa7 SetFocus 50286 4151d8 50250->50286 50254 4239d5 GetWindowLongA 50253->50254 50255 4239e1 50253->50255 50254->50255 50256->50158 50257->50158 50259 423b15 50258->50259 50260 423b0a 50258->50260 50259->50162 50259->50163 50260->50259 50261 4086b0 7 API calls 50260->50261 50261->50259 50262->50219 50263->50227 50265 41eec1 50264->50265 50265->50232 50266->50193 50267->50193 50268->50193 50269->50193 50270->50193 50271->50193 50272->50193 50273->50200 50274->50242 50275->50230 50277 41ef24 50276->50277 50278 41eef8 IsWindow 50276->50278 50277->50237 50279 41ef12 50278->50279 50280 41ef07 EnableWindow 50278->50280 50279->50277 50279->50278 50281 402660 4 API calls 50279->50281 50280->50279 50281->50279 50282->50193 50283->50193 50285 418182 50284->50285 50285->50250 50287 4151f3 SetFocus 50286->50287 50287->50193 50288->50206 50289->50200 50290->50200 50291 414614 KiUserCallbackDispatcher 53150 478df1 53151 478dfa 53150->53151 53153 478e25 53150->53153 53151->53153 53154 478e17 53151->53154 53152 478e64 53156 478e77 53152->53156 53157 478e84 53152->53157 53153->53152 53501 477814 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53153->53501 53499 46fe98 162 API calls 53154->53499 53162 478e7b 53156->53162 53163 478eb9 53156->53163 53159 478e9e 53157->53159 53160 478e8d 53157->53160 53504 477a50 37 API calls 53159->53504 53503 4779e0 37 API calls 53160->53503 53161 478e57 53502 4779e0 37 API calls 53161->53502 53170 478e7f 53162->53170 53174 478f17 53162->53174 53175 478efc 53162->53175 53167 478ec2 53163->53167 53168 478edd 53163->53168 53164 478e1c 53164->53153 53500 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53164->53500 53505 477a50 37 API calls 53167->53505 53506 477a50 37 API calls 53168->53506 53178 478f40 53170->53178 53179 478f5e 53170->53179 53508 477a50 37 API calls 53174->53508 53507 477a50 37 API calls 53175->53507 53180 478f55 53178->53180 53509 4779e0 37 API calls 53178->53509 53511 4776ac 23 API calls 53179->53511 53510 4776ac 23 API calls 53180->53510 53184 478f5c 53185 478f74 53184->53185 53186 478f6e 53184->53186 53187 478f72 53185->53187 53188 4779bc 37 API calls 53185->53188 53186->53187 53190 4779bc 37 API calls 53186->53190 53266 474fa4 53187->53266 53188->53187 53190->53187 53196 478fb5 53198 478fc5 53196->53198 53407 477d90 53196->53407 53426 478114 53198->53426 53201 478fcb 53202 47911b 53201->53202 53203 478fd8 53201->53203 53204 478030 18 API calls 53202->53204 53431 48bbf8 53203->53431 53206 479119 53204->53206 53209 474c8c 39 API calls 53206->53209 53211 47913a 53209->53211 53215 403450 4 API calls 53211->53215 53217 47914a 53215->53217 53219 474c8c 39 API calls 53217->53219 53221 47915a 53219->53221 53223 403450 4 API calls 53221->53223 53267 42d76c GetWindowsDirectoryA 53266->53267 53268 474fc2 53267->53268 53269 403450 4 API calls 53268->53269 53270 474fcf 53269->53270 53271 42d798 GetSystemDirectoryA 53270->53271 53272 474fd7 53271->53272 53273 403450 4 API calls 53272->53273 53274 474fe4 53273->53274 53275 42d7c4 6 API calls 53274->53275 53276 474fec 53275->53276 53277 403450 4 API calls 53276->53277 53278 474ff9 53277->53278 53279 475002 53278->53279 53280 47501e 53278->53280 53543 42d0dc 53279->53543 53282 403400 4 API calls 53280->53282 53284 47501c 53282->53284 53286 475063 53284->53286 53288 42c7b4 5 API calls 53284->53288 53285 403450 4 API calls 53285->53284 53523 474e2c 53286->53523 53290 47503e 53288->53290 53291 403450 4 API calls 53290->53291 53293 47504b 53291->53293 53292 403450 4 API calls 53294 47507f 53292->53294 53293->53286 53296 403450 4 API calls 53293->53296 53295 47509d 53294->53295 53297 4035c0 4 API calls 53294->53297 53298 474e2c 8 API calls 53295->53298 53296->53286 53297->53295 53299 4750ac 53298->53299 53300 403450 4 API calls 53299->53300 53301 4750b9 53300->53301 53302 4750e1 53301->53302 53303 42c394 5 API calls 53301->53303 53304 475148 53302->53304 53308 474e2c 8 API calls 53302->53308 53305 4750cf 53303->53305 53306 475172 53304->53306 53307 475151 53304->53307 53309 4035c0 4 API calls 53305->53309 53312 42c394 5 API calls 53306->53312 53310 42c394 5 API calls 53307->53310 53311 4750f9 53308->53311 53309->53302 53313 47515e 53310->53313 53314 403450 4 API calls 53311->53314 53315 47517f 53312->53315 53316 4035c0 4 API calls 53313->53316 53317 475106 53314->53317 53318 4035c0 4 API calls 53315->53318 53319 475170 53316->53319 53320 475119 53317->53320 53551 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53317->53551 53318->53319 53534 474f10 53319->53534 53322 474e2c 8 API calls 53320->53322 53324 475128 53322->53324 53327 403450 4 API calls 53324->53327 53326 403400 4 API calls 53329 4751ab 53326->53329 53328 475135 53327->53328 53328->53304 53552 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53328->53552 53331 475400 53329->53331 53332 475408 53331->53332 53332->53332 53554 452020 53332->53554 53335 403450 4 API calls 53336 475435 53335->53336 53337 403494 4 API calls 53336->53337 53338 475442 53337->53338 53339 40357c 4 API calls 53338->53339 53340 475450 53339->53340 53341 4557f0 23 API calls 53340->53341 53342 475458 53341->53342 53343 47546b 53342->53343 53588 454fe8 6 API calls 53342->53588 53345 42c394 5 API calls 53343->53345 53346 475478 53345->53346 53347 4035c0 4 API calls 53346->53347 53348 475488 53347->53348 53349 475492 CreateDirectoryA 53348->53349 53350 47549c GetLastError 53349->53350 53372 4754f8 53349->53372 53589 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53350->53589 53352 4035c0 4 API calls 53353 47550d 53352->53353 53572 4753a8 53353->53572 53354 4754b4 53590 406cf8 19 API calls 53354->53590 53357 47551a 53577 45640c 53357->53577 53358 4754c4 53360 42e650 5 API calls 53358->53360 53362 4754d4 53360->53362 53361 475522 53363 47554b 53361->53363 53365 4035c0 4 API calls 53361->53365 53591 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53362->53591 53367 403420 4 API calls 53363->53367 53368 475538 53365->53368 53366 4754e9 53592 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53366->53592 53370 475565 53367->53370 53371 4753a8 25 API calls 53368->53371 53373 403420 4 API calls 53370->53373 53374 475543 53371->53374 53372->53352 53375 475572 53373->53375 53593 456478 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53374->53593 53377 47572c 53375->53377 53378 42c394 5 API calls 53377->53378 53379 475758 53378->53379 53380 4035c0 4 API calls 53379->53380 53381 475768 53380->53381 53382 4753a8 25 API calls 53381->53382 53383 475775 53382->53383 53656 450bd4 53383->53656 53386 47578e 53387 450bd4 30 API calls 53386->53387 53389 47579b 53387->53389 53390 4757d4 53389->53390 53391 403494 4 API calls 53389->53391 53392 42e1d0 2 API calls 53390->53392 53391->53390 53393 4757e3 53392->53393 53394 42e1d0 2 API calls 53393->53394 53395 4757f0 53394->53395 53396 475823 GetProcAddress 53395->53396 53399 407884 19 API calls 53395->53399 53397 47583f 53396->53397 53398 475849 53396->53398 53661 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53397->53661 53402 403400 4 API calls 53398->53402 53400 47581b 53399->53400 53660 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53400->53660 53404 47585e 53402->53404 53405 403400 4 API calls 53404->53405 53406 475866 53405->53406 53406->53196 53512 477bf8 31 API calls 53406->53512 53408 42c394 5 API calls 53407->53408 53409 477dbc 53408->53409 53410 4035c0 4 API calls 53409->53410 53411 477dcc 53410->53411 53412 4752cc 21 API calls 53411->53412 53413 477dda 53412->53413 53414 42e1d0 2 API calls 53413->53414 53415 477df2 53414->53415 53416 477e25 53415->53416 53417 407884 19 API calls 53415->53417 53676 45a4fc GetProcAddress GetProcAddress GetProcAddress 53416->53676 53419 477e1d 53417->53419 53680 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53419->53680 53420 477e2f 53422 477e3d 53420->53422 53681 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53420->53681 53427 478125 53426->53427 53428 478160 53427->53428 53429 478150 53427->53429 53428->53201 53682 476ac4 6 API calls 53429->53682 53432 48bc02 53431->53432 53683 447acc 53432->53683 53499->53164 53501->53161 53502->53152 53503->53170 53504->53170 53505->53170 53506->53170 53507->53170 53508->53170 53509->53180 53510->53184 53511->53184 53512->53196 53524 42dc34 RegOpenKeyExA 53523->53524 53525 474e52 53524->53525 53526 474e56 53525->53526 53527 474e78 53525->53527 53529 42db64 6 API calls 53526->53529 53528 403400 4 API calls 53527->53528 53530 474e7f 53528->53530 53531 474e62 53529->53531 53530->53292 53532 474e6d RegCloseKey 53531->53532 53533 403400 4 API calls 53531->53533 53532->53530 53533->53532 53535 474f1e 53534->53535 53536 42dc34 RegOpenKeyExA 53535->53536 53537 474f46 53536->53537 53538 474f77 53537->53538 53539 42db64 6 API calls 53537->53539 53538->53326 53540 474f5c 53539->53540 53541 42db64 6 API calls 53540->53541 53542 474f6e RegCloseKey 53541->53542 53542->53538 53544 4038a4 4 API calls 53543->53544 53545 42d0ef 53544->53545 53546 42d106 GetEnvironmentVariableA 53545->53546 53550 42d119 53545->53550 53553 42da00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53545->53553 53546->53545 53547 42d112 53546->53547 53548 403400 4 API calls 53547->53548 53548->53550 53550->53285 53551->53320 53552->53304 53553->53545 53571 452040 53554->53571 53556 451dac 12 API calls 53556->53571 53557 452065 CreateDirectoryA 53558 4520dd 53557->53558 53559 45206f GetLastError 53557->53559 53560 403494 4 API calls 53558->53560 53559->53571 53562 4520e7 53560->53562 53563 403420 4 API calls 53562->53563 53564 452101 53563->53564 53566 403420 4 API calls 53564->53566 53567 45210e 53566->53567 53567->53335 53568 42e650 5 API calls 53568->53571 53571->53556 53571->53557 53571->53568 53594 42d848 53571->53594 53617 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53571->53617 53618 406cf8 19 API calls 53571->53618 53619 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53571->53619 53620 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53571->53620 53573 40d0d4 23 API calls 53572->53573 53574 4753c4 53573->53574 53621 4752cc 53574->53621 53576 4753df 53576->53357 53578 45641e 53577->53578 53579 456418 53577->53579 53581 403494 4 API calls 53578->53581 53580 45642c 53579->53580 53582 45641c 53579->53582 53584 403494 4 API calls 53580->53584 53583 45642a 53581->53583 53586 403400 4 API calls 53582->53586 53583->53361 53585 456438 53584->53585 53585->53361 53587 456441 53586->53587 53587->53361 53588->53343 53589->53354 53590->53358 53591->53366 53592->53372 53593->53363 53595 42d0dc 5 API calls 53594->53595 53596 42d86e 53595->53596 53597 42d87a 53596->53597 53598 42cc1c 7 API calls 53596->53598 53599 42d0dc 5 API calls 53597->53599 53601 42d8c6 53597->53601 53598->53597 53600 42d88a 53599->53600 53602 42d896 53600->53602 53604 42cc1c 7 API calls 53600->53604 53603 42c6ec 5 API calls 53601->53603 53602->53601 53605 42d0dc 5 API calls 53602->53605 53613 42d8bb 53602->53613 53607 42d8d0 53603->53607 53604->53602 53608 42d8af 53605->53608 53606 42d76c GetWindowsDirectoryA 53606->53601 53609 42c394 5 API calls 53607->53609 53611 42cc1c 7 API calls 53608->53611 53608->53613 53610 42d8db 53609->53610 53612 403494 4 API calls 53610->53612 53611->53613 53614 42d8e5 53612->53614 53613->53601 53613->53606 53615 403420 4 API calls 53614->53615 53616 42d8ff 53615->53616 53616->53571 53617->53571 53618->53571 53619->53571 53620->53571 53628 40cf28 53621->53628 53623 475301 53624 403420 4 API calls 53623->53624 53625 475391 53624->53625 53626 403400 4 API calls 53625->53626 53627 475399 53626->53627 53627->53576 53633 40cdd8 53628->53633 53630 40cf42 53645 40cf10 53630->53645 53632 40cf5d 53632->53623 53634 40cde5 53633->53634 53635 40ce01 53634->53635 53636 40ce36 53634->53636 53649 406e50 53635->53649 53653 406e10 CreateFileA 53636->53653 53639 40ce40 53644 40ce2f 53639->53644 53654 408cbc 19 API calls 53639->53654 53640 40ce08 53640->53644 53652 408cbc 19 API calls 53640->53652 53643 40ce67 53643->53644 53644->53630 53646 40cf24 53645->53646 53647 40cf18 53645->53647 53646->53632 53655 40cc40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53647->53655 53650 403738 53649->53650 53651 406e6c CreateFileA 53650->53651 53651->53640 53652->53644 53653->53639 53654->53643 53655->53646 53662 450b0c 53656->53662 53658 450be1 53658->53386 53659 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53658->53659 53659->53386 53660->53396 53661->53398 53663 403738 53662->53663 53664 450b29 74D41520 53663->53664 53665 450b37 53664->53665 53666 450bae 53664->53666 53667 402648 4 API calls 53665->53667 53670 450bc1 53666->53670 53675 450930 27 API calls 53666->53675 53669 450b3e 74D41500 53667->53669 53671 450b7c 53669->53671 53672 450b62 74D41540 53669->53672 53670->53658 53673 402660 4 API calls 53671->53673 53672->53671 53674 450ba6 53673->53674 53674->53658 53675->53670 53677 45a556 53676->53677 53678 45a538 53676->53678 53677->53420 53678->53677 53679 45a54a ISCryptGetVersion 53678->53679 53679->53420 53680->53416 53681->53422 53682->53428 53684 447ad2 53683->53684 53884 447070 53684->53884 53885 447076 53884->53885 53896 433664 53885->53896 53897 43366b 53896->53897 53898 4312c8 4 API calls 53897->53898 54970 4898f0 54971 489924 54970->54971 54972 48993a 54971->54972 54973 489926 54971->54973 54977 489949 54972->54977 54978 489976 54972->54978 55106 44660c 18 API calls 54973->55106 54975 48992f Sleep 54976 489971 54975->54976 54979 403420 4 API calls 54976->54979 54980 446668 18 API calls 54977->54980 54983 4899b2 54978->54983 54984 489985 54978->54984 54981 489de4 54979->54981 54982 489958 54980->54982 54986 489960 FindWindowA 54982->54986 54989 489a08 54983->54989 54990 4899c1 54983->54990 54985 446668 18 API calls 54984->54985 54987 489992 54985->54987 54988 4468e8 5 API calls 54986->54988 54991 48999a FindWindowA 54987->54991 54988->54976 54996 489a64 54989->54996 54997 489a17 54989->54997 55107 44660c 18 API calls 54990->55107 54993 4468e8 5 API calls 54991->54993 54995 4899ad 54993->54995 54994 4899cd 55108 44660c 18 API calls 54994->55108 54995->54976 55004 489ac0 54996->55004 55005 489a73 54996->55005 55111 44660c 18 API calls 54997->55111 54999 4899da 55109 44660c 18 API calls 54999->55109 55002 489a23 55112 44660c 18 API calls 55002->55112 55003 4899e7 55110 44660c 18 API calls 55003->55110 55015 489afa 55004->55015 55016 489acf 55004->55016 55116 44660c 18 API calls 55005->55116 55009 489a30 55113 44660c 18 API calls 55009->55113 55010 4899f2 SendMessageA 55014 4468e8 5 API calls 55010->55014 55011 489a7f 55117 44660c 18 API calls 55011->55117 55013 489a3d 55114 44660c 18 API calls 55013->55114 55014->54995 55024 489b48 55015->55024 55025 489b09 55015->55025 55019 446668 18 API calls 55016->55019 55022 489adc 55019->55022 55020 489a8c 55118 44660c 18 API calls 55020->55118 55021 489a48 PostMessageA 55115 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55021->55115 55029 489ae4 RegisterClipboardFormatA 55022->55029 55036 489b9c 55024->55036 55037 489b57 55024->55037 55121 44660c 18 API calls 55025->55121 55027 489a99 55119 44660c 18 API calls 55027->55119 55033 4468e8 5 API calls 55029->55033 55031 489aa4 SendNotifyMessageA 55120 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55031->55120 55032 489b15 55122 44660c 18 API calls 55032->55122 55033->54976 55043 489bab 55036->55043 55044 489bf0 55036->55044 55124 44660c 18 API calls 55037->55124 55038 489b22 55123 44660c 18 API calls 55038->55123 55041 489b63 55125 44660c 18 API calls 55041->55125 55042 489b2d SendMessageA 55047 4468e8 5 API calls 55042->55047 55128 44660c 18 API calls 55043->55128 55052 489bff 55044->55052 55053 489c52 55044->55053 55046 489b70 55126 44660c 18 API calls 55046->55126 55047->54995 55050 489bb7 55129 44660c 18 API calls 55050->55129 55051 489b7b PostMessageA 55127 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55051->55127 55056 446668 18 API calls 55052->55056 55060 489cd9 55053->55060 55061 489c61 55053->55061 55058 489c0c 55056->55058 55057 489bc4 55130 44660c 18 API calls 55057->55130 55062 42e1d0 2 API calls 55058->55062 55071 489ce8 55060->55071 55072 489d0e 55060->55072 55064 446668 18 API calls 55061->55064 55065 489c19 55062->55065 55063 489bcf SendNotifyMessageA 55131 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55063->55131 55067 489c70 55064->55067 55068 489c2f GetLastError 55065->55068 55069 489c1f 55065->55069 55132 44660c 18 API calls 55067->55132 55073 4468e8 5 API calls 55068->55073 55070 4468e8 5 API calls 55069->55070 55074 489c2d 55070->55074 55137 44660c 18 API calls 55071->55137 55079 489d1d 55072->55079 55080 489d40 55072->55080 55073->55074 55078 4468e8 5 API calls 55074->55078 55077 489cf2 FreeLibrary 55138 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55077->55138 55078->54976 55083 446668 18 API calls 55079->55083 55089 489d4f 55080->55089 55095 489d83 55080->55095 55081 489c83 GetProcAddress 55084 489cc9 55081->55084 55085 489c8f 55081->55085 55086 489d29 55083->55086 55136 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55084->55136 55133 44660c 18 API calls 55085->55133 55091 489d31 CreateMutexA 55086->55091 55092 446668 18 API calls 55089->55092 55090 489c9b 55134 44660c 18 API calls 55090->55134 55091->54976 55097 489d5b 55092->55097 55094 489ca8 55098 4468e8 5 API calls 55094->55098 55095->54976 55096 446668 18 API calls 55095->55096 55103 489d9e 55096->55103 55099 489d6c OemToCharBuffA 55097->55099 55100 489cb9 55098->55100 55139 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55099->55139 55135 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55100->55135 55104 489daf CharToOemBuffA 55103->55104 55140 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55104->55140 55106->54975 55107->54994 55108->54999 55109->55003 55110->55010 55111->55002 55112->55009 55113->55013 55114->55021 55115->54995 55116->55011 55117->55020 55118->55027 55119->55031 55120->54976 55121->55032 55122->55038 55123->55042 55124->55041 55125->55046 55126->55051 55127->54995 55128->55050 55129->55057 55130->55063 55131->54976 55132->55081 55133->55090 55134->55094 55135->54995 55136->54995 55137->55077 55138->54976 55139->54976 55140->54976 50292 46605c 50293 466092 50292->50293 50320 46627f 50292->50320 50295 4660c6 50293->50295 50297 466110 50293->50297 50298 466121 50293->50298 50299 4660ee 50293->50299 50300 4660ff 50293->50300 50301 4660dd 50293->50301 50294 403400 4 API calls 50296 46630b 50294->50296 50302 463910 19 API calls 50295->50302 50295->50320 50304 403400 4 API calls 50296->50304 50469 465dcc 59 API calls 50297->50469 50470 465fec 41 API calls 50298->50470 50468 465ab0 37 API calls 50299->50468 50328 465bf8 50300->50328 50467 465948 42 API calls 50301->50467 50311 466143 50302->50311 50309 466313 50304->50309 50310 4660e3 50310->50295 50310->50320 50315 466185 50311->50315 50311->50320 50471 48be34 50311->50471 50313 46384c 19 API calls 50313->50315 50314 414a80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50314->50315 50315->50313 50315->50314 50316 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50315->50316 50317 46626c 50315->50317 50319 42ca94 6 API calls 50315->50319 50315->50320 50323 46535c 23 API calls 50315->50323 50324 4662ed 50315->50324 50369 465288 50315->50369 50376 464bc0 50315->50376 50396 47b128 50315->50396 50491 465728 19 API calls 50315->50491 50316->50315 50490 47b56c 96 API calls 50317->50490 50319->50315 50320->50294 50323->50315 50326 46535c 23 API calls 50324->50326 50326->50320 50492 4666fc 50328->50492 50331 465d90 50332 403400 4 API calls 50331->50332 50334 465da5 50332->50334 50333 414a80 4 API calls 50335 465c46 50333->50335 50336 403420 4 API calls 50334->50336 50337 465c53 50335->50337 50338 465d81 50335->50338 50339 465db2 50336->50339 50495 42c7b4 50337->50495 50341 403450 4 API calls 50338->50341 50342 403400 4 API calls 50339->50342 50341->50331 50344 465dba 50342->50344 50344->50295 50345 42c394 5 API calls 50346 465c6d 50345->50346 50503 4541a0 13 API calls 50346->50503 50348 465d3f 50348->50331 50348->50338 50353 42cc1c 7 API calls 50348->50353 50349 465cdf 50349->50331 50349->50348 50506 42cc1c 50349->50506 50352 465c7a 50352->50349 50354 461358 19 API calls 50352->50354 50357 465d55 50353->50357 50356 465ca9 50354->50356 50359 461358 19 API calls 50356->50359 50357->50338 50511 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50357->50511 50358 465d2f 50510 477340 37 API calls 50358->50510 50361 465cba 50359->50361 50504 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50361->50504 50364 465d6c 50512 477340 37 API calls 50364->50512 50365 465ccf 50505 477340 37 API calls 50365->50505 50368 465d7c 50368->50331 50368->50338 50370 465294 50369->50370 50371 465299 50369->50371 50372 465297 50370->50372 50626 464d00 50370->50626 50711 464740 42 API calls 50371->50711 50372->50315 50374 4652a1 50374->50315 50377 464be7 50376->50377 50727 4763a0 50377->50727 50379 464bf9 50380 461558 20 API calls 50379->50380 50395 464c57 50379->50395 50382 464c07 50380->50382 50381 403400 4 API calls 50383 464c88 50381->50383 50384 40357c 4 API calls 50382->50384 50383->50315 50385 464c14 50384->50385 50386 40357c 4 API calls 50385->50386 50387 464c21 50386->50387 50388 40357c 4 API calls 50387->50388 50389 464c2e 50388->50389 50390 40357c 4 API calls 50389->50390 50391 464c3c 50390->50391 50392 414ab0 4 API calls 50391->50392 50393 464c4a 50392->50393 50394 461890 9 API calls 50393->50394 50394->50395 50395->50381 50397 4666fc 46 API calls 50396->50397 50398 47b16b 50397->50398 50399 47b174 50398->50399 50948 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50398->50948 50401 414a80 4 API calls 50399->50401 50402 47b184 50401->50402 50403 403450 4 API calls 50402->50403 50404 47b191 50403->50404 50775 4669e4 50404->50775 50407 47b1a1 50409 414a80 4 API calls 50407->50409 50410 47b1b1 50409->50410 50411 403450 4 API calls 50410->50411 50412 47b1be 50411->50412 50413 464528 SendMessageA 50412->50413 50414 47b1d7 50413->50414 50415 47b215 50414->50415 50950 472b2c 23 API calls 50414->50950 50417 424174 11 API calls 50415->50417 50418 47b21f 50417->50418 50419 47b245 50418->50419 50420 47b230 SetActiveWindow 50418->50420 50804 47a738 50419->50804 50420->50419 50467->50310 50468->50295 50469->50295 50470->50295 52459 43d058 50471->52459 50474 48be56 52464 4312c8 50474->52464 50475 48bede 50475->50315 50476 48becf 50476->50475 52497 48b670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50476->52497 50485 48bea0 52495 48b704 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50485->52495 50487 48bea7 52496 4334c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50487->52496 50489 48bec7 50489->50315 50490->50320 50491->50315 50513 466788 50492->50513 50617 42c5a4 50495->50617 50498 42c7d1 50500 403778 4 API calls 50498->50500 50499 42c7c8 50501 403400 4 API calls 50499->50501 50502 42c7cf 50500->50502 50501->50502 50502->50345 50503->50352 50504->50365 50505->50349 50620 42cba0 50506->50620 50509 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50509->50358 50510->50348 50511->50364 50512->50368 50514 414a80 4 API calls 50513->50514 50515 4667ba 50514->50515 50567 4615f0 50515->50567 50518 414ab0 4 API calls 50519 4667cc 50518->50519 50520 4667db 50519->50520 50522 4667f4 50519->50522 50596 477340 37 API calls 50520->50596 50524 46683b 50522->50524 50526 466822 50522->50526 50523 403420 4 API calls 50525 465c2a 50523->50525 50527 466898 50524->50527 50540 46683f 50524->50540 50525->50331 50525->50333 50597 477340 37 API calls 50526->50597 50599 42ca24 CharNextA 50527->50599 50530 4668a7 50531 4668ab 50530->50531 50535 4668c4 50530->50535 50600 477340 37 API calls 50531->50600 50533 46687f 50598 477340 37 API calls 50533->50598 50536 4668e8 50535->50536 50576 461760 50535->50576 50601 477340 37 API calls 50536->50601 50540->50533 50540->50535 50543 466901 50544 403778 4 API calls 50543->50544 50545 466917 50544->50545 50584 42c884 50545->50584 50548 466956 50550 42c7b4 5 API calls 50548->50550 50549 466928 50602 4617ec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50549->50602 50552 466961 50550->50552 50554 42c394 5 API calls 50552->50554 50553 46693b 50603 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50553->50603 50556 46696c 50554->50556 50559 42ca94 6 API calls 50556->50559 50557 466948 50604 477340 37 API calls 50557->50604 50561 466977 50559->50561 50560 4667ef 50560->50523 50588 46671c 50561->50588 50563 46697f 50564 42cc1c 7 API calls 50563->50564 50565 466987 50564->50565 50565->50560 50605 477340 37 API calls 50565->50605 50572 46160a 50567->50572 50569 42ca94 6 API calls 50569->50572 50570 403450 4 API calls 50570->50572 50571 406b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50571->50572 50572->50569 50572->50570 50572->50571 50573 461653 50572->50573 50606 42c994 50572->50606 50574 403420 4 API calls 50573->50574 50575 46166d 50574->50575 50575->50518 50577 46176a 50576->50577 50578 461781 CharNextA 50577->50578 50579 46177d 50577->50579 50578->50577 50579->50536 50580 461790 50579->50580 50581 46179a 50580->50581 50582 4617c7 50581->50582 50583 4617cb CharNextA 50581->50583 50582->50536 50582->50543 50583->50581 50585 42c8dc 50584->50585 50586 42c89a 50584->50586 50585->50548 50585->50549 50586->50585 50587 42c8cd CharNextA 50586->50587 50587->50586 50589 466781 50588->50589 50590 46672f 50588->50590 50589->50563 50590->50589 50591 41ee3c 2 API calls 50590->50591 50592 46673f 50591->50592 50593 466759 SHPathPrepareForWriteA 50592->50593 50594 41eef0 6 API calls 50593->50594 50595 466779 50594->50595 50595->50563 50596->50560 50597->50560 50598->50560 50599->50530 50600->50560 50601->50560 50602->50553 50603->50557 50604->50560 50605->50560 50607 403494 4 API calls 50606->50607 50608 42c9a4 50607->50608 50609 403744 4 API calls 50608->50609 50612 42c9da 50608->50612 50615 42c3d8 IsDBCSLeadByte 50608->50615 50609->50608 50611 42ca1e 50611->50572 50612->50611 50614 4037b8 4 API calls 50612->50614 50616 42c3d8 IsDBCSLeadByte 50612->50616 50614->50612 50615->50608 50616->50612 50618 42c5ac IsDBCSLeadByte 50617->50618 50619 42c5ab 50618->50619 50619->50498 50619->50499 50621 42ca94 6 API calls 50620->50621 50622 42cbc2 50621->50622 50623 42cbca GetFileAttributesA 50622->50623 50624 403400 4 API calls 50623->50624 50625 42cbe7 50624->50625 50625->50348 50625->50509 50628 464d47 50626->50628 50627 4651b3 50630 4651ce 50627->50630 50631 4651ff 50627->50631 50628->50627 50629 464e02 50628->50629 50632 403494 4 API calls 50628->50632 50635 464e1d 50629->50635 50640 464e5e 50629->50640 50633 403494 4 API calls 50630->50633 50634 403494 4 API calls 50631->50634 50637 464d86 50632->50637 50638 4651dc 50633->50638 50639 46520d 50634->50639 50636 403494 4 API calls 50635->50636 50641 464e2b 50636->50641 50642 414a80 4 API calls 50637->50642 50723 463df8 10 API calls 50638->50723 50724 463df8 10 API calls 50639->50724 50644 403400 4 API calls 50640->50644 50646 414a80 4 API calls 50641->50646 50647 464da7 50642->50647 50648 464e5c 50644->50648 50650 464e4c 50646->50650 50651 403634 4 API calls 50647->50651 50668 464f42 50648->50668 50712 464528 50648->50712 50649 4651ea 50652 403400 4 API calls 50649->50652 50653 403634 4 API calls 50650->50653 50654 464db7 50651->50654 50656 465230 50652->50656 50653->50648 50658 414a80 4 API calls 50654->50658 50661 403400 4 API calls 50656->50661 50657 464fc4 50659 403400 4 API calls 50657->50659 50662 464dcb 50658->50662 50663 464fc2 50659->50663 50660 464e7e 50664 464e84 50660->50664 50665 464ebc 50660->50665 50666 465238 50661->50666 50662->50629 50674 414a80 4 API calls 50662->50674 50718 464964 39 API calls 50663->50718 50670 403494 4 API calls 50664->50670 50669 403400 4 API calls 50665->50669 50667 403420 4 API calls 50666->50667 50671 465245 50667->50671 50668->50657 50672 464f83 50668->50672 50673 464eba 50669->50673 50675 464e92 50670->50675 50671->50372 50677 403494 4 API calls 50672->50677 50686 46481c 39 API calls 50673->50686 50678 464df2 50674->50678 50676 474c8c 39 API calls 50675->50676 50681 464eaa 50676->50681 50682 464f91 50677->50682 50683 403634 4 API calls 50678->50683 50680 464fed 50689 46504e 50680->50689 50690 464ff8 50680->50690 50684 403634 4 API calls 50681->50684 50685 414a80 4 API calls 50682->50685 50683->50629 50684->50673 50687 464fb2 50685->50687 50688 464ee3 50686->50688 50691 403634 4 API calls 50687->50691 50695 464f44 50688->50695 50696 464eee 50688->50696 50692 403400 4 API calls 50689->50692 50693 403494 4 API calls 50690->50693 50691->50663 50694 465056 50692->50694 50701 465006 50693->50701 50699 46504c 50694->50699 50710 4650ff 50694->50710 50697 403400 4 API calls 50695->50697 50698 403494 4 API calls 50696->50698 50697->50668 50703 464efc 50698->50703 50699->50694 50719 48bd38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50699->50719 50701->50694 50701->50699 50705 403634 4 API calls 50701->50705 50702 465079 50702->50710 50720 48bfa0 18 API calls 50702->50720 50703->50668 50706 403634 4 API calls 50703->50706 50705->50701 50706->50703 50708 4651a0 50722 4290dc SendMessageA SendMessageA 50708->50722 50721 42908c SendMessageA 50710->50721 50711->50374 50725 429fd8 SendMessageA 50712->50725 50714 464557 50714->50660 50715 464537 50715->50714 50726 429fd8 SendMessageA 50715->50726 50717 464547 50717->50660 50718->50680 50719->50702 50720->50710 50721->50708 50722->50627 50723->50649 50724->50649 50725->50715 50726->50717 50728 476404 50727->50728 50730 4763ce 50727->50730 50729 403420 4 API calls 50728->50729 50731 476505 50729->50731 50744 4540a0 50730->50744 50731->50379 50733 4764ce 50733->50379 50734 4723e4 19 API calls 50737 4763f8 50734->50737 50735 474c8c 39 API calls 50735->50737 50736 474c8c 39 API calls 50740 47647c 50736->50740 50737->50728 50737->50733 50737->50734 50737->50735 50737->50740 50751 475f60 31 API calls 50737->50751 50739 42c814 5 API calls 50739->50740 50740->50736 50740->50737 50740->50739 50743 4764bb 50740->50743 50752 42c83c 50740->50752 50757 4760ac 52 API calls 50740->50757 50743->50728 50745 4540b1 50744->50745 50746 4540b5 50745->50746 50747 4540be 50745->50747 50758 453da4 50746->50758 50766 453e84 29 API calls 50747->50766 50750 4540bb 50750->50737 50751->50737 50753 42c684 IsDBCSLeadByte 50752->50753 50754 42c84c 50753->50754 50755 403778 4 API calls 50754->50755 50756 42c85d 50755->50756 50756->50740 50757->50740 50759 42dc34 RegOpenKeyExA 50758->50759 50760 453dc1 50759->50760 50761 453e0f 50760->50761 50767 453cd8 50760->50767 50761->50750 50764 453cd8 6 API calls 50765 453df0 RegCloseKey 50764->50765 50765->50750 50766->50750 50772 42db70 50767->50772 50769 403420 4 API calls 50770 453d8a 50769->50770 50770->50764 50771 453d00 50771->50769 50773 42da30 6 API calls 50772->50773 50774 42db79 50773->50774 50774->50771 50776 466a0d 50775->50776 50777 466a5a 50776->50777 50778 414a80 4 API calls 50776->50778 50780 403420 4 API calls 50777->50780 50779 466a23 50778->50779 50956 46167c 6 API calls 50779->50956 50782 466b04 50780->50782 50782->50407 50949 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50782->50949 50783 466a2b 50784 414ab0 4 API calls 50783->50784 50785 466a39 50784->50785 50786 466a46 50785->50786 50789 466a5f 50785->50789 50957 477340 37 API calls 50786->50957 50788 466a77 50958 477340 37 API calls 50788->50958 50789->50788 50790 461760 CharNextA 50789->50790 50792 466a73 50790->50792 50792->50788 50793 466a8d 50792->50793 50794 466a93 50793->50794 50795 466aa9 50793->50795 50959 477340 37 API calls 50794->50959 50796 42c884 CharNextA 50795->50796 50798 466ab6 50796->50798 50798->50777 50960 4617ec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50798->50960 50800 466acd 50961 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50800->50961 50802 466ada 50962 477340 37 API calls 50802->50962 50805 47a789 50804->50805 50806 47a75b 50804->50806 50808 46f210 50805->50808 50963 48bd54 18 API calls 50806->50963 50809 4557f0 23 API calls 50808->50809 50810 46f25c 50809->50810 50964 407238 50810->50964 50812 46f266 50967 468248 50812->50967 50817 474c8c 39 API calls 50818 46f2c2 50817->50818 50819 46f2d2 50818->50819 51358 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50818->51358 50821 46f2e9 50819->50821 51359 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50819->51359 50823 471c34 20 API calls 50821->50823 50824 46f2f4 50823->50824 50825 403450 4 API calls 50824->50825 50826 46f311 50825->50826 50827 403450 4 API calls 50826->50827 50828 46f31f 50827->50828 50977 468830 50828->50977 50832 46f385 51013 46f168 50832->51013 50839 4683b8 17 API calls 50840 46f3a9 50839->50840 51029 46e428 50840->51029 50843 4683b8 17 API calls 50844 46f3b3 50843->50844 50845 46f3d7 50844->50845 50846 4579d4 4 API calls 50844->50846 50847 46f3f8 50845->50847 50848 4579d4 4 API calls 50845->50848 50846->50845 51042 46e520 50847->51042 50848->50847 50851 4683b8 17 API calls 50852 46f404 50851->50852 51053 46821c 50852->51053 50950->50415 50956->50783 50957->50777 50958->50777 50959->50777 50960->50800 50961->50802 50962->50777 50963->50805 50965 403738 50964->50965 50966 407242 SetCurrentDirectoryA 50965->50966 50966->50812 50972 46826f 50967->50972 50968 4682ec 51366 44ef60 50968->51366 50969 4723e4 19 API calls 50969->50972 50972->50968 50972->50969 50973 457918 50974 45791e 50973->50974 50975 457be0 4 API calls 50974->50975 50976 45793a 50975->50976 50976->50817 50978 46886e 50977->50978 50979 46885e 50977->50979 50980 403400 4 API calls 50978->50980 50981 403494 4 API calls 50979->50981 50982 46886c 50980->50982 50981->50982 50983 4538f4 5 API calls 50982->50983 50984 468882 50983->50984 50985 453930 5 API calls 50984->50985 50986 468890 50985->50986 50987 468808 5 API calls 50986->50987 50988 4688a4 50987->50988 50989 4579d4 4 API calls 50988->50989 50990 4688bc 50989->50990 50991 403420 4 API calls 50990->50991 50992 4688d6 50991->50992 50993 403400 4 API calls 50992->50993 50994 4688de 50993->50994 50995 4688f0 50994->50995 50996 4034e0 4 API calls 50995->50996 50997 468927 50996->50997 50998 468930 50997->50998 50999 46893f 50997->50999 51001 474c8c 39 API calls 50998->51001 51000 403400 4 API calls 50999->51000 51002 46893d 51000->51002 51001->51002 51003 474c8c 39 API calls 51002->51003 51004 468962 51003->51004 51005 474c8c 39 API calls 51004->51005 51006 4689b4 51005->51006 51007 4579d4 4 API calls 51006->51007 51008 4689cc 51007->51008 51009 403400 4 API calls 51008->51009 51010 4689e1 51009->51010 51011 403420 4 API calls 51010->51011 51012 4689ee 51011->51012 51012->50832 51015 46f178 51013->51015 51016 46f1a9 51013->51016 51014 4722a4 19 API calls 51014->51015 51015->51014 51015->51016 51017 4683b8 51016->51017 51018 4683c6 51017->51018 51019 4683c1 51017->51019 51375 424444 51018->51375 51379 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51019->51379 51023 4683de 51025 46f1bc 51023->51025 51026 46f1cc 51025->51026 51028 46f1ff 51025->51028 51027 4722a4 19 API calls 51026->51027 51026->51028 51027->51026 51028->50839 51030 46e4fd 51029->51030 51036 46e44f 51029->51036 51031 403400 4 API calls 51030->51031 51032 46e512 51031->51032 51032->50843 51033 4722a4 19 API calls 51033->51036 51036->51030 51036->51033 51037 46e49f 51036->51037 51413 476518 51036->51413 51417 471f38 51036->51417 51422 471f64 19 API calls 51036->51422 51037->51036 51038 474c8c 39 API calls 51037->51038 51420 4525d8 20 API calls 51037->51420 51421 4525d8 20 API calls 51037->51421 51038->51037 51043 46e5df 51042->51043 51050 46e54e 51042->51050 51044 403400 4 API calls 51043->51044 51045 46e5f4 51044->51045 51045->50851 51046 4722a4 19 API calls 51046->51050 51047 476518 15 API calls 51047->51050 51048 471f38 19 API calls 51048->51050 51049 474c8c 39 API calls 51049->51050 51050->51043 51050->51046 51050->51047 51050->51048 51050->51049 51051 4579d4 4 API calls 51050->51051 51432 471f64 19 API calls 51050->51432 51051->51050 51054 414ab0 4 API calls 51053->51054 51055 46822e 51054->51055 51433 4681a4 51055->51433 51058 469994 51463 46956c 51058->51463 51358->50819 51359->50821 51369 44ef74 51366->51369 51370 44ef85 51369->51370 51371 44efa6 MulDiv 51370->51371 51372 44ef71 51370->51372 51373 418178 51371->51373 51372->50973 51374 44efd1 SendMessageA 51373->51374 51374->51372 51376 424447 51375->51376 51378 424452 51376->51378 51381 424394 PeekMessageA 51376->51381 51378->51023 51380 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51378->51380 51382 4243b7 51381->51382 51383 424438 51381->51383 51382->51383 51393 424364 51382->51393 51383->51376 51392 424422 TranslateMessage DispatchMessageA 51392->51383 51394 424375 51393->51394 51395 42438c 51393->51395 51394->51395 51412 424c50 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 51394->51412 51395->51383 51397 4242b0 51395->51397 51398 4242c0 51397->51398 51399 4242fa 51397->51399 51398->51399 51400 4242e7 TranslateMDISysAccel 51398->51400 51399->51383 51401 424300 51399->51401 51400->51399 51402 424315 51401->51402 51403 42435c 51401->51403 51402->51403 51404 42431d GetCapture 51402->51404 51403->51383 51409 42428c 51403->51409 51404->51403 51405 424326 51404->51405 51406 42433f SendMessageA 51405->51406 51407 424338 51405->51407 51406->51403 51408 42435a 51406->51408 51407->51406 51408->51403 51410 42429f IsDialogMessage 51409->51410 51411 4242ac 51409->51411 51410->51411 51411->51383 51411->51392 51412->51395 51414 4765bf 51413->51414 51415 47652c 51413->51415 51414->51036 51415->51414 51423 454f50 15 API calls 51415->51423 51424 471e94 51417->51424 51420->51037 51421->51036 51422->51036 51423->51414 51425 471ea0 51424->51425 51429 471ec8 51424->51429 51426 471ec1 51425->51426 51430 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51425->51430 51431 471d54 19 API calls 51426->51431 51429->51036 51430->51426 51431->51429 51432->51050 51440 42e89c 73A1A570 51433->51440 51435 4681da 51436 414ab0 4 API calls 51435->51436 51437 4681e4 51436->51437 51438 403400 4 API calls 51437->51438 51439 46820d 51438->51439 51439->51058 51441 41a180 5 API calls 51440->51441 51442 42e8e4 SelectObject 51441->51442 51443 403494 4 API calls 51442->51443 51444 42e8f7 51443->51444 51445 42c83c 5 API calls 51444->51445 51446 42e901 51445->51446 51447 42c814 5 API calls 51446->51447 51448 42e90b 51447->51448 51449 42c5a4 IsDBCSLeadByte 51448->51449 51450 42e913 51449->51450 51451 403778 4 API calls 51450->51451 51452 42e943 51451->51452 51453 4037b8 4 API calls 51452->51453 51456 42e952 51453->51456 51454 42e9b4 73A1A480 51454->51435 51456->51454 51458 403634 4 API calls 51456->51458 51459 403400 4 API calls 51456->51459 51460 403494 4 API calls 51456->51460 51461 42e7e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51456->51461 51462 42e454 6 API calls 51456->51462 51458->51456 51459->51456 51460->51456 51461->51456 51462->51456 51464 469593 51463->51464 51465 42c6ec 5 API calls 51464->51465 51466 4695b0 51465->51466 51467 42ca94 6 API calls 51466->51467 51468 4695bb 51467->51468 51469 403494 4 API calls 51468->51469 51470 4695c6 51469->51470 51471 42c814 5 API calls 51470->51471 51472 4695d1 51471->51472 51483 4696f0 51472->51483 51511 450f7c 51472->51511 51473 403420 4 API calls 51475 469753 51473->51475 51477 403420 4 API calls 51475->51477 51483->51473 51512 450d20 2 API calls 51511->51512 51513 450f92 51512->51513 51514 450f96 51513->51514 51515 42cc1c 7 API calls 51513->51515 52498 4315e4 52459->52498 52461 403400 4 API calls 52462 43d106 52461->52462 52462->50474 52462->50476 52463 43d082 52463->52461 52465 4312ce 52464->52465 52466 402648 4 API calls 52465->52466 52467 4312fe 52466->52467 52468 48b8a0 52467->52468 52469 48b975 52468->52469 52470 48b8ba 52468->52470 52475 48b9b8 52469->52475 52470->52469 52471 433464 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52470->52471 52474 403450 4 API calls 52470->52474 52503 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52470->52503 52504 431398 52470->52504 52471->52470 52474->52470 52476 48b9d4 52475->52476 52512 433464 52476->52512 52478 48b9d9 52479 431398 4 API calls 52478->52479 52480 48b9e4 52479->52480 52481 43cc24 52480->52481 52482 43cc51 52481->52482 52485 43cc43 52481->52485 52482->50485 52483 43cccd 52493 43cd87 52483->52493 52515 4466f4 52483->52515 52485->52482 52485->52483 52488 4466f4 4 API calls 52485->52488 52486 43cd18 52521 43d3e0 52486->52521 52488->52485 52489 43cf8d 52489->52482 52541 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52489->52541 52491 43cf6e 52540 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52491->52540 52493->52489 52493->52491 52539 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52493->52539 52495->50487 52496->50489 52497->50475 52499 403494 4 API calls 52498->52499 52500 4315f3 52499->52500 52501 43161d 52500->52501 52502 403744 4 API calls 52500->52502 52501->52463 52502->52500 52503->52470 52505 4313a6 52504->52505 52506 4313b8 52504->52506 52510 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52505->52510 52507 4313da 52506->52507 52511 431338 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52506->52511 52507->52470 52510->52506 52511->52507 52513 402648 4 API calls 52512->52513 52514 433473 52513->52514 52514->52478 52516 446713 52515->52516 52517 44671a 52515->52517 52542 4464c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52516->52542 52519 431398 4 API calls 52517->52519 52520 44672a 52519->52520 52520->52486 52522 43d3fc 52521->52522 52535 43d429 52521->52535 52523 402660 4 API calls 52522->52523 52522->52535 52523->52522 52524 43d45e 52524->52493 52526 43f535 52526->52524 52547 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52526->52547 52527 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52527->52535 52529 433210 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52529->52535 52530 43bfc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52530->52535 52534 433410 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52534->52535 52535->52524 52535->52526 52535->52527 52535->52529 52535->52530 52535->52534 52536 435ce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52536 52537 431338 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52537 52538 4464c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52538 52543 4364dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52543 52544 438d70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52544 52545 43d2d8 18 API calls 52535->52545 52546 43342c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52535->52546 52536->52535 52537->52535 52538->52535 52539->52493 52540->52489 52541->52489 52542->52517 52543->52535 52544->52535 52545->52535 52546->52535 52547->52526 52548 416ada 52549 416b82 52548->52549 52550 416af2 52548->52550 52567 4152b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52549->52567 52552 416b00 52550->52552 52553 416b0c SendMessageA 52550->52553 52554 416b26 52552->52554 52555 416b0a CallWindowProcA 52552->52555 52563 416b60 52553->52563 52564 419ff0 GetSysColor 52554->52564 52555->52563 52558 416b31 SetTextColor 52559 416b46 52558->52559 52565 419ff0 GetSysColor 52559->52565 52561 416b4b SetBkColor 52566 41a678 GetSysColor CreateBrushIndirect 52561->52566 52564->52558 52565->52561 52566->52563 52567->52563 52568 434fd8 52569 434fed 52568->52569 52573 435007 52569->52573 52574 4349c0 52569->52574 52578 434a0a 52574->52578 52581 4349f0 52574->52581 52575 403400 4 API calls 52576 434e0f 52575->52576 52576->52573 52587 434e20 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52576->52587 52577 446434 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52577->52581 52578->52575 52579 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52579->52581 52580 402648 4 API calls 52580->52581 52581->52577 52581->52578 52581->52579 52581->52580 52582 431398 4 API calls 52581->52582 52584 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52581->52584 52585 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52581->52585 52588 433aa8 52581->52588 52600 43426c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52581->52600 52582->52581 52584->52581 52585->52581 52587->52573 52589 433b65 52588->52589 52590 433ad5 52588->52590 52619 433a08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52589->52619 52591 403494 4 API calls 52590->52591 52594 433ae3 52591->52594 52593 433b57 52595 403400 4 API calls 52593->52595 52596 403778 4 API calls 52594->52596 52597 433bb5 52595->52597 52598 433b04 52596->52598 52597->52581 52598->52593 52601 48b9ec 52598->52601 52600->52581 52602 48babc 52601->52602 52603 48ba24 52601->52603 52620 447fa0 52602->52620 52604 403494 4 API calls 52603->52604 52608 48ba2f 52604->52608 52606 48ba3f 52607 403400 4 API calls 52606->52607 52609 48bae0 52607->52609 52608->52606 52610 4037b8 4 API calls 52608->52610 52611 403400 4 API calls 52609->52611 52613 48ba58 52610->52613 52612 48bae8 52611->52612 52612->52598 52613->52606 52614 4037b8 4 API calls 52613->52614 52615 48ba7b 52614->52615 52616 403778 4 API calls 52615->52616 52617 48baac 52616->52617 52618 403634 4 API calls 52617->52618 52618->52602 52619->52593 52621 447fc5 52620->52621 52622 448008 52620->52622 52623 403494 4 API calls 52621->52623 52624 44801c 52622->52624 52632 447b9c 52622->52632 52625 447fd0 52623->52625 52627 403400 4 API calls 52624->52627 52628 4037b8 4 API calls 52625->52628 52629 44804f 52627->52629 52630 447fec 52628->52630 52629->52606 52631 4037b8 4 API calls 52630->52631 52631->52622 52633 403494 4 API calls 52632->52633 52634 447bd2 52633->52634 52635 4037b8 4 API calls 52634->52635 52636 447be4 52635->52636 52637 403778 4 API calls 52636->52637 52638 447c05 52637->52638 52639 4037b8 4 API calls 52638->52639 52640 447c1d 52639->52640 52641 403778 4 API calls 52640->52641 52642 447c48 52641->52642 52643 4037b8 4 API calls 52642->52643 52645 447c60 52643->52645 52644 447d33 52649 447d3b GetProcAddress 52644->52649 52645->52644 52647 447cbb LoadLibraryExA 52645->52647 52648 447ccd LoadLibraryA 52645->52648 52652 447c98 52645->52652 52653 403b80 4 API calls 52645->52653 52654 403450 4 API calls 52645->52654 52656 43d118 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52645->52656 52646 403420 4 API calls 52650 447d78 52646->52650 52647->52645 52648->52645 52651 447d4e 52649->52651 52650->52624 52651->52652 52652->52646 52653->52645 52654->52645 52656->52645 52657 447d98 52658 447dc6 52657->52658 52659 447dcd 52657->52659 52661 403400 4 API calls 52658->52661 52660 447de1 52659->52660 52662 447b9c 7 API calls 52659->52662 52660->52658 52663 403494 4 API calls 52660->52663 52664 447f77 52661->52664 52662->52660 52665 447dfa 52663->52665 52666 4037b8 4 API calls 52665->52666 52667 447e16 52666->52667 52668 4037b8 4 API calls 52667->52668 52669 447e32 52668->52669 52669->52658 52670 447e46 52669->52670 52671 4037b8 4 API calls 52670->52671 52672 447e60 52671->52672 52673 4312c8 4 API calls 52672->52673 52674 447e82 52673->52674 52675 431398 4 API calls 52674->52675 52682 447ea2 52674->52682 52675->52674 52676 447ef8 52689 4419c4 52676->52689 52677 447ee0 52677->52676 52701 442c60 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52677->52701 52681 447f2c GetLastError 52702 447b30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52681->52702 52682->52677 52700 442c60 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52682->52700 52684 447f3b 52703 442ca0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52684->52703 52686 447f50 52704 442cb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52686->52704 52688 447f58 52690 4429a2 52689->52690 52691 4419fd 52689->52691 52693 403400 4 API calls 52690->52693 52692 403400 4 API calls 52691->52692 52694 441a05 52692->52694 52695 4429b7 52693->52695 52696 4312c8 4 API calls 52694->52696 52695->52681 52697 441a11 52696->52697 52698 442992 52697->52698 52705 44109c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52697->52705 52698->52681 52700->52682 52701->52676 52702->52684 52703->52686 52704->52688 52705->52697 55141 40cdbc 55144 406ea0 WriteFile 55141->55144 55145 406ebd 55144->55145 52706 4165dc 52707 416643 52706->52707 52708 4165e9 52706->52708 52713 4164e8 CreateWindowExA 52708->52713 52709 4165f0 SetPropA SetPropA 52709->52707 52710 416623 52709->52710 52711 416636 SetWindowPos 52710->52711 52711->52707 52713->52709 55146 42227c 55147 42228b 55146->55147 55152 42120c 55147->55152 55150 4222ab 55153 42127b 55152->55153 55155 42121b 55152->55155 55157 42128c 55153->55157 55177 412468 GetMenuItemCount GetMenuStringA GetMenuState 55153->55177 55155->55153 55176 408cbc 19 API calls 55155->55176 55156 4212ba 55159 42132d 55156->55159 55164 4212d5 55156->55164 55157->55156 55158 421352 55157->55158 55161 421366 SetMenu 55158->55161 55174 42132b 55158->55174 55166 421341 55159->55166 55159->55174 55160 42137e 55180 421154 10 API calls 55160->55180 55161->55174 55169 4212f8 GetMenu 55164->55169 55164->55174 55165 421385 55165->55150 55175 422180 10 API calls 55165->55175 55168 42134a SetMenu 55166->55168 55168->55174 55170 421302 55169->55170 55171 42131b 55169->55171 55173 421315 SetMenu 55170->55173 55178 412468 GetMenuItemCount GetMenuStringA GetMenuState 55171->55178 55173->55171 55174->55160 55179 421dc4 11 API calls 55174->55179 55175->55150 55176->55155 55177->55157 55178->55174 55179->55160 55180->55165

                                                                              Executed Functions

                                                                              Function 0046A284 Relevance: 76.2, APIs: 4, Strings: 39, Instructions: 906timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LocalFileTimeToFileTime.KERNEL32(-00000034,?,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000,?,0046BDAE), ref: 0046A4EA
                                                                                • Part of subcall function 004530B0: FindClose.KERNEL32(00000000,000000FF,0046A501,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000), ref: 004530C6
                                                                                • Part of subcall function 004684DC: FileTimeToLocalFileTime.KERNEL32(?), ref: 004684E4
                                                                                • Part of subcall function 004684DC: FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004684F3
                                                                                • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                • Part of subcall function 004529E0: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452B07
                                                                              Strings
                                                                              • Non-default bitness: 32-bit, xrefs: 0046A450
                                                                              • Stripped read-only attribute., xrefs: 0046AA53
                                                                              • Uninstaller requires administrator: %s, xrefs: 0046AD01
                                                                              • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046A850
                                                                              • Same version. Skipping., xrefs: 0046A871
                                                                              • Failed to strip read-only attribute., xrefs: 0046AA5F
                                                                              • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046A841
                                                                              • Will register the file (a type library) later., xrefs: 0046B076
                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046AA86
                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 0046A9D9
                                                                              • @, xrefs: 0046A384
                                                                              • Version of existing file: (none), xrefs: 0046A886
                                                                              • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046A85C
                                                                              • Dest file exists., xrefs: 0046A550
                                                                              • Non-default bitness: 64-bit, xrefs: 0046A444
                                                                              • Existing file has a later time stamp. Skipping., xrefs: 0046A95B
                                                                              • Incrementing shared file count (32-bit)., xrefs: 0046B108
                                                                              • Version of our file: (none), xrefs: 0046A691
                                                                              • Time stamp of our file: %s, xrefs: 0046A530
                                                                              • Time stamp of our file: (failed to read), xrefs: 0046A53C
                                                                              • InUn, xrefs: 0046ACD1
                                                                              • Existing file is a newer version. Skipping., xrefs: 0046A797
                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046A978
                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 0046A685
                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046AA22
                                                                              • .tmp, xrefs: 0046AB43
                                                                              • Dest filename: %s, xrefs: 0046A429
                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046A563
                                                                              • Same time stamp. Skipping., xrefs: 0046A8E1
                                                                              • Installing the file., xrefs: 0046AA95
                                                                              • Time stamp of existing file: (failed to read), xrefs: 0046A5CC
                                                                              • Couldn't read time stamp. Skipping., xrefs: 0046A8C1
                                                                              • Time stamp of existing file: %s, xrefs: 0046A5C0
                                                                              • Dest file is protected by Windows File Protection., xrefs: 0046A482
                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 0046A711
                                                                              • Incrementing shared file count (64-bit)., xrefs: 0046B0EF
                                                                              • -- File entry --, xrefs: 0046A2D7
                                                                              • , xrefs: 0046A764, 0046A92C, 0046A9AA
                                                                              • Will register the file (a DLL/OCX) later., xrefs: 0046B082
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$Local$CloseFindFullNamePathQuerySystemValue
                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                              • API String ID: 2131814033-2943590984
                                                                              • Opcode ID: 3fdf83b18051d9a47e42d4fa58cd6ed3722659d7104968c675422b1d0dc0660e
                                                                              • Instruction ID: 6336488f7475e0465b407838a80b096eb610c46dcf3f2914a726d1c87adbe53b
                                                                              • Opcode Fuzzy Hash: 3fdf83b18051d9a47e42d4fa58cd6ed3722659d7104968c675422b1d0dc0660e
                                                                              • Instruction Fuzzy Hash: 2B928130A042489FDB11DFA5C495BDDBBB1AF05308F1440ABE944BB392E7789E85CF5A
                                                                              Function 00423BA4 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1500 423ba4-423bd8 1501 423bda-423bdb 1500->1501 1502 423c0c-423c23 call 423b00 1500->1502 1504 423bdd-423bf9 call 40b3d4 1501->1504 1507 423c84-423c89 1502->1507 1508 423c25 1502->1508 1536 423bfb-423c03 1504->1536 1537 423c08-423c0a 1504->1537 1510 423c8b 1507->1510 1511 423cbf-423cc4 1507->1511 1512 423c2b-423c2e 1508->1512 1513 423ce8-423cf8 1508->1513 1514 423c91-423c99 1510->1514 1515 423f49-423f51 1510->1515 1518 424032-424040 IsIconic 1511->1518 1519 423cca-423ccd 1511->1519 1516 423c30 1512->1516 1517 423c5d-423c60 1512->1517 1520 423d03-423d0b call 42412c 1513->1520 1521 423cfa-423cff 1513->1521 1523 423eab-423ed2 SendMessageA 1514->1523 1524 423c9f-423ca4 1514->1524 1526 4240ea-4240f2 1515->1526 1531 423f57-423f62 call 418178 1515->1531 1527 423c36-423c39 1516->1527 1528 423d8e-423d9e call 423b1c 1516->1528 1532 423d41-423d48 1517->1532 1533 423c66-423c67 1517->1533 1525 424046-424051 GetFocus 1518->1525 1518->1526 1529 423cd3-423cd4 1519->1529 1530 42406e-424083 call 4247e8 1519->1530 1520->1526 1534 423d10-423d18 call 424174 1521->1534 1535 423d01-423d24 call 423b1c 1521->1535 1523->1526 1539 423fe2-423fed 1524->1539 1540 423caa-423cab 1524->1540 1525->1526 1548 424057-424060 call 41ef8c 1525->1548 1541 424109-42410f 1526->1541 1549 423db6-423dd2 PostMessageA call 423b1c 1527->1549 1550 423c3f-423c42 1527->1550 1528->1526 1543 424085-42408c 1529->1543 1544 423cda-423cdd 1529->1544 1530->1526 1531->1526 1592 423f68-423f77 call 418178 IsWindowEnabled 1531->1592 1532->1526 1553 423d4e-423d55 1532->1553 1554 423ed7-423ede 1533->1554 1555 423c6d-423c70 1533->1555 1534->1526 1535->1526 1536->1541 1537->1502 1537->1504 1539->1526 1559 423ff3-424005 1539->1559 1556 423cb1-423cb4 1540->1556 1557 42400a-424015 1540->1557 1570 4240a3-4240b6 call 4244c4 1543->1570 1571 42408e-4240a1 call 42446c 1543->1571 1560 423ce3 1544->1560 1561 4240b8-4240bf 1544->1561 1548->1526 1606 424066-42406c SetFocus 1548->1606 1549->1526 1567 423c48-423c4b 1550->1567 1568 423e3d-423e44 1550->1568 1553->1526 1573 423d5b-423d61 1553->1573 1554->1526 1563 423ee4-423ee9 call 404e54 1554->1563 1574 423c76-423c79 1555->1574 1575 423dd7-423df7 call 423b1c 1555->1575 1578 423cba 1556->1578 1579 423eee-423ef6 1556->1579 1557->1526 1581 42401b-42402d 1557->1581 1559->1526 1580 4240e3-4240e4 call 423b1c 1560->1580 1576 4240d2-4240e1 1561->1576 1577 4240c1-4240d0 1561->1577 1563->1526 1587 423c51-423c52 1567->1587 1588 423d66-423d74 IsIconic 1567->1588 1589 423e46-423e59 call 423aac 1568->1589 1590 423e77-423e88 call 423b1c 1568->1590 1570->1526 1571->1526 1573->1526 1593 423da3-423db1 call 424110 1574->1593 1594 423c7f 1574->1594 1621 423e1b-423e38 call 423a1c PostMessageA 1575->1621 1622 423df9-423e16 call 423aac PostMessageA 1575->1622 1576->1526 1577->1526 1578->1580 1579->1526 1604 423efc-423f03 1579->1604 1617 4240e9 1580->1617 1581->1526 1607 423c58 1587->1607 1608 423d29-423d31 1587->1608 1597 423d82-423d89 call 423b1c 1588->1597 1598 423d76-423d7d call 423b58 1588->1598 1634 423e6b-423e72 call 423b1c 1589->1634 1635 423e5b-423e65 call 41eef0 1589->1635 1628 423e8a-423e90 call 41ee3c 1590->1628 1629 423e9e-423ea6 call 423a1c 1590->1629 1592->1526 1625 423f7d-423f8c call 418178 IsWindowVisible 1592->1625 1593->1526 1594->1580 1597->1526 1598->1526 1604->1526 1620 423f09-423f18 call 418178 IsWindowEnabled 1604->1620 1606->1526 1607->1580 1608->1526 1623 423d37-423d3c call 422be4 1608->1623 1617->1526 1620->1526 1649 423f1e-423f34 call 4122a8 1620->1649 1621->1526 1622->1526 1623->1526 1625->1526 1651 423f92-423fdd GetFocus call 418178 SetFocus call 4151d8 SetFocus 1625->1651 1647 423e95-423e98 1628->1647 1629->1526 1634->1526 1635->1634 1647->1629 1649->1526 1656 423f3a-423f44 1649->1656 1651->1526 1656->1526
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de7b7f7f6f0e45f39f4c4f25e6367e04e63d65c7eb0eaf5b5c68f4929e1db6c2
                                                                              • Instruction ID: f04fb3084d0a65edbfcfad19f7d8c46e112c92b03ef581d164a2f2d40213a873
                                                                              • Opcode Fuzzy Hash: de7b7f7f6f0e45f39f4c4f25e6367e04e63d65c7eb0eaf5b5c68f4929e1db6c2
                                                                              • Instruction Fuzzy Hash: B3E18E34700124EFD710DF6AE595A5A77F4EB48305FA480AAE545AB352C73DEF82DB08
                                                                              Function 004620A8 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1620windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1867 4620a8-4620be 1868 4620c0-4620c3 call 402d30 1867->1868 1869 4620c8-46217f call 48c764 call 402b30 * 6 1867->1869 1868->1869 1886 462181-4621a8 call 4145d4 1869->1886 1887 4621bc-4621d5 1869->1887 1891 4621ad-4621b7 call 414594 1886->1891 1892 4621aa 1886->1892 1893 4621d7-4621fe call 4145b4 1887->1893 1894 462212-462220 call 48c998 1887->1894 1891->1887 1892->1891 1902 462203-46220d call 414574 1893->1902 1903 462200 1893->1903 1900 462222-462231 call 48c854 1894->1900 1901 462233-462235 call 48c978 1894->1901 1908 46223a-46228d call 48c414 call 41a368 * 2 1900->1908 1901->1908 1902->1894 1903->1902 1915 46229e-4622b3 call 45055c call 414ab0 1908->1915 1916 46228f-46229c call 414ab0 1908->1916 1921 4622b8-4622bf 1915->1921 1916->1921 1923 462307-46278d call 48c7a4 call 48ca54 call 4145b4 * 3 call 414654 call 414574 * 3 call 45c1e0 call 45c1f8 call 45c204 call 45c24c call 45c1e0 call 45c1f8 call 45c204 call 45c24c call 45c1f8 call 45c24c LoadBitmapA call 41d648 call 45c21c call 45c234 call 461f04 call 463930 call 461558 call 40357c call 414ab0 call 461890 call 4618c0 call 461558 call 40357c * 2 call 414ab0 call 463930 call 461558 call 414ab0 call 461890 call 4618c0 call 414ab0 * 2 call 463930 call 414ab0 * 2 call 461890 call 414594 call 461890 call 414594 call 463930 call 414ab0 call 461890 call 4618c0 call 463930 call 414ab0 call 461890 call 414594 * 2 call 414ab0 call 461890 call 414594 1921->1923 1924 4622c1-462302 call 414654 call 414698 call 420f30 call 420f5c call 420b00 call 420b2c 1921->1924 2054 46278f-4627e7 call 414594 call 414ab0 call 461890 call 414594 1923->2054 2055 4627e9-462802 call 4149dc * 2 1923->2055 1924->1923 2062 462807-4628b8 call 461558 call 463930 call 461558 call 414ab0 call 48ca54 call 461890 2054->2062 2055->2062 2081 4628f2-462b16 call 461558 call 414ab0 call 48ca64 * 2 call 42e648 call 414594 call 461890 call 414594 call 414ab0 call 48c7a4 call 48ca54 call 4145b4 call 461558 call 414ab0 call 461890 call 414594 call 461558 call 463930 call 461558 call 414ab0 call 461890 call 414594 call 4618c0 call 461558 call 414ab0 call 461890 2062->2081 2082 4628ba-4628d5 2062->2082 2139 462b57-462c10 call 461558 call 463930 call 461558 call 414ab0 call 48ca54 call 461890 2081->2139 2140 462b18-462b21 2081->2140 2083 4628d7 2082->2083 2084 4628da-4628ed call 414594 2082->2084 2083->2084 2084->2081 2158 462c12-462c2d 2139->2158 2159 462c4a-46306b call 461558 call 414ab0 call 48ca64 * 2 call 42e648 call 414594 call 461890 call 414594 call 414ab0 call 48c7a4 call 48ca54 call 4145b4 call 414ab0 call 461558 call 463930 call 461558 call 414ab0 call 461890 call 4618c0 call 42bb68 call 48ca64 call 44de18 call 461558 call 463930 call 461558 call 463930 call 461558 call 463930 * 2 call 414ab0 call 461890 call 4618c0 call 463930 call 48c414 call 41a368 call 461558 call 40357c call 414ab0 call 461890 call 414594 call 414ab0 * 2 call 48ca64 call 403494 call 40357c * 2 call 414ab0 2139->2159 2140->2139 2141 462b23-462b52 call 4149dc call 4618c0 2140->2141 2141->2139 2160 462c32-462c45 call 414594 2158->2160 2161 462c2f 2158->2161 2258 46308f-463096 2159->2258 2259 46306d-46308a call 44f34c call 44f480 2159->2259 2160->2159 2161->2160 2260 4630ba-4630c1 2258->2260 2261 463098-4630b5 call 44f34c call 44f480 2258->2261 2259->2258 2264 4630e5-463136 call 418178 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 463a24 2260->2264 2265 4630c3-4630e0 call 44f34c call 44f480 2260->2265 2261->2260 2279 4631df-4631e6 2264->2279 2280 46313c-463145 2264->2280 2265->2264 2283 4631ec-46320f call 474c8c call 403450 2279->2283 2284 46327a-463288 call 414ab0 2279->2284 2281 463147-46319e call 474c8c call 414ab0 call 474c8c call 414ab0 call 474c8c call 414ab0 2280->2281 2282 4631a0-4631da call 414ab0 * 3 2280->2282 2281->2279 2282->2279 2307 463221-463235 call 403494 2283->2307 2308 463211-46321f call 403494 2283->2308 2292 46328d-463296 2284->2292 2296 4633a6-4633d5 call 42b904 call 44dda4 2292->2296 2297 46329c-4632b4 call 429f70 2292->2297 2326 463483-463487 2296->2326 2327 4633db-4633df 2296->2327 2309 4632b6-4632ba 2297->2309 2310 46332b-46332f 2297->2310 2322 463247-463278 call 42c6ec call 42ca94 call 403494 call 414ab0 2307->2322 2323 463237-463242 call 403494 2307->2323 2308->2322 2317 4632bc-4632f6 call 40b3d4 call 474c8c 2309->2317 2315 463331-46333a 2310->2315 2316 46337f-463383 2310->2316 2315->2316 2324 46333c-463347 2315->2324 2329 463397-4633a1 call 429ff4 2316->2329 2330 463385-463395 call 429ff4 2316->2330 2383 463325-463329 2317->2383 2384 4632f8-4632ff 2317->2384 2322->2292 2323->2322 2324->2316 2334 463349-46334d 2324->2334 2337 463506-46350a 2326->2337 2338 463489-463490 2326->2338 2336 4633e1-4633f3 call 40b3d4 2327->2336 2329->2296 2330->2296 2342 46334f-463372 call 40b3d4 call 406a1c 2334->2342 2361 463425-46345c call 474c8c call 44be84 2336->2361 2362 4633f5-463423 call 474c8c call 44bf54 2336->2362 2345 463573-46357c 2337->2345 2346 46350c-463523 call 40b3d4 2337->2346 2338->2337 2347 463492-463499 2338->2347 2393 463374-463377 2342->2393 2394 463379-46337d 2342->2394 2354 46357e-463596 call 40b3d4 call 4646bc 2345->2354 2355 46359b-4635b0 call 461c64 call 4619dc 2345->2355 2374 463525-463561 call 40b3d4 call 4646bc * 2 call 46455c 2346->2374 2375 463563-463571 call 4646bc 2346->2375 2347->2337 2357 46349b-4634a6 2347->2357 2354->2355 2399 463602-46360c call 4149dc 2355->2399 2400 4635b2-4635d5 call 429fd8 call 40b3d4 2355->2400 2357->2355 2365 4634ac-4634b0 2357->2365 2401 463461-463465 2361->2401 2362->2401 2376 4634b2-4634c8 call 40b3d4 2365->2376 2374->2355 2375->2355 2406 4634ca-4634f6 call 429ff4 call 4646bc call 46455c 2376->2406 2407 4634fb-4634ff 2376->2407 2383->2310 2383->2317 2384->2383 2395 463301-463313 call 406a1c 2384->2395 2393->2316 2394->2316 2394->2342 2395->2383 2421 463315-46331f 2395->2421 2416 463611-463630 call 4149dc 2399->2416 2435 4635d7-4635de 2400->2435 2436 4635e0-4635ef call 4149dc 2400->2436 2411 463467-46346e 2401->2411 2412 463470-463472 2401->2412 2406->2355 2407->2376 2413 463501 2407->2413 2411->2412 2420 463479-46347d 2411->2420 2412->2420 2413->2355 2431 463632-463655 call 429fd8 call 46481c 2416->2431 2432 46365a-46367d call 474c8c call 403450 2416->2432 2420->2326 2420->2336 2421->2383 2426 463321 2421->2426 2426->2383 2431->2432 2450 46367f-463686 2432->2450 2451 463698-4636a1 2432->2451 2435->2436 2440 4635f1-463600 call 4149dc 2435->2440 2436->2416 2440->2416 2450->2451 2454 463688-463696 call 403494 2450->2454 2452 4636b7-4636c7 call 403494 2451->2452 2453 4636a3-4636b5 call 403684 2451->2453 2461 4636d9-4636f0 call 414ab0 2452->2461 2453->2452 2462 4636c9-4636d4 call 403494 2453->2462 2454->2461 2466 463726-463730 call 4149dc 2461->2466 2467 4636f2-4636f9 2461->2467 2462->2461 2471 463735-46375a call 403400 * 3 2466->2471 2469 463706-463710 call 42b07c 2467->2469 2470 4636fb-463704 2467->2470 2472 463715-463724 call 4149dc 2469->2472 2470->2469 2470->2472 2472->2471
                                                                              APIs
                                                                                • Part of subcall function 0048C854: GetWindowRect.USER32(00000000), ref: 0048C86A
                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00462477
                                                                                • Part of subcall function 0041D648: GetObjectA.GDI32(?,00000018,00462491), ref: 0041D673
                                                                                • Part of subcall function 00461F04: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00461FA1
                                                                                • Part of subcall function 00461F04: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461FC7
                                                                                • Part of subcall function 00461F04: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00462023
                                                                                • Part of subcall function 00461F04: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462049
                                                                                • Part of subcall function 004618C0: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046252C,00000000,00000000,00000000,0000000C,00000000), ref: 004618D8
                                                                                • Part of subcall function 0048CA64: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048CA6E
                                                                                • Part of subcall function 0048C7A4: 73A1A570.USER32(00000000,?,?,?), ref: 0048C7C6
                                                                                • Part of subcall function 0048C7A4: SelectObject.GDI32(?,00000000), ref: 0048C7EC
                                                                                • Part of subcall function 0048C7A4: 73A1A480.USER32(00000000,?,0048C84A,0048C843,?,00000000,?,?,?), ref: 0048C83D
                                                                                • Part of subcall function 0048CA54: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048CA5E
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021277CC,02129420,?,?,02129450,?,?,021294A0,?), ref: 004630EF
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00463100
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00463118
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadRectSelectSystemUserWindow
                                                                              • String ID: $(Default)$STOPIMAGE
                                                                              • API String ID: 798199749-770201673
                                                                              • Opcode ID: dd3d8fd672a16393e323b753cc00e63073ac8476760509fc2b9c63bba26e635c
                                                                              • Instruction ID: e2e6c99e134b60afcdfb023e5044024a3b924a9daadbdbff726cba202d2a439c
                                                                              • Opcode Fuzzy Hash: dd3d8fd672a16393e323b753cc00e63073ac8476760509fc2b9c63bba26e635c
                                                                              • Instruction Fuzzy Hash: F7F204786005609FCB00EF69D8D9F9973F1BF49304F1581B6E5089B36ADB74AC46CB8A
                                                                              Function 0047819C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?,?,00000000), ref: 004781FC
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?), ref: 00478245
                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF), ref: 00478252
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?), ref: 0047829E
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047836B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000), ref: 00478347
                                                                              • FindClose.KERNEL32(000000FF,00478372,0047836B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000), ref: 00478365
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: a1d840a3a95355ccfcd61814205dc4e240f9d7f89ce3454cd945cb85c4fc703f
                                                                              • Instruction ID: 4b456bd8f44edda0f97990befda08fb9861f77685885b074d6f5825a5f55381f
                                                                              • Opcode Fuzzy Hash: a1d840a3a95355ccfcd61814205dc4e240f9d7f89ce3454cd945cb85c4fc703f
                                                                              • Instruction Fuzzy Hash: D9518371900608AFCB10DF65CC89ADEB7BCEB88315F1084BAA818E7351DA389F45CF58
                                                                              Function 0046E788 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E7E1
                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E8A6
                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E8B4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID: unins$unins???.*
                                                                              • API String ID: 3541575487-1009660736
                                                                              • Opcode ID: 5954555e5c55a6f0c1627fdc79d7bc5d022b8e66c068dfac9c44a8b6961bbd7d
                                                                              • Instruction ID: da53ebf0d1cd316440c2c9d692973d590bf560a688ad98a6ce3dd60fa39449aa
                                                                              • Opcode Fuzzy Hash: 5954555e5c55a6f0c1627fdc79d7bc5d022b8e66c068dfac9c44a8b6961bbd7d
                                                                              • Instruction Fuzzy Hash: C7316774A00108AFDB10EB66C985ADDBBFCEF05314F5044B6E408E72A2EB389F458F59
                                                                              Function 00447B9C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00447D79), ref: 00447CBC
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00447D3D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID:
                                                                              • API String ID: 2574300362-0
                                                                              • Opcode ID: 8ac92d76eb4c457e5a836ea8d51ed146a922b316cb3139a6b1e03fbfd02b8e5e
                                                                              • Instruction ID: 6c9917709a3bb01d3cef5f5576a292de38f6b5bc033f1de1a8ebe1fb7d1d4e76
                                                                              • Opcode Fuzzy Hash: 8ac92d76eb4c457e5a836ea8d51ed146a922b316cb3139a6b1e03fbfd02b8e5e
                                                                              • Instruction Fuzzy Hash: 215162B4E14105AFDB00EFA5C481AAEB7F8EF44315F10817AE414BB396DB789E05CB99
                                                                              Function 0045105C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004510BF,?,?,-00000001,00000000), ref: 00451099
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,004510BF,?,?,-00000001,00000000), ref: 004510A1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileFindFirstLast
                                                                              • String ID:
                                                                              • API String ID: 873889042-0
                                                                              • Opcode ID: 96ff706b865a0c3e89c7056d59f0f3c4ab756fbe47ee1fbad52e8f7b66ca27f2
                                                                              • Instruction ID: dcd16dfe0d0acbeeb8a94117288214fa7a4cb679286425af3742c04ea9233ea0
                                                                              • Opcode Fuzzy Hash: 96ff706b865a0c3e89c7056d59f0f3c4ab756fbe47ee1fbad52e8f7b66ca27f2
                                                                              • Instruction Fuzzy Hash: 8BF04931A04248AB8B10EBA69C0149EF7FCDB45725710467BFC14D36D2DA384E088459
                                                                              Function 004084F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 454902a201ecd8c2e3acffde7e58753429cd464d257c0cf4bbdc702fc318ca5b
                                                                              • Instruction ID: aa8d71f0cf4996895b5714cb82768bd341bd21fdaf985382d0229dd3d02663df
                                                                              • Opcode Fuzzy Hash: 454902a201ecd8c2e3acffde7e58753429cd464d257c0cf4bbdc702fc318ca5b
                                                                              • Instruction Fuzzy Hash: 21E0223270021462C312A92A9C869FAB34C9718354F80427FB948EB3C2EDB89E4142A8
                                                                              Function 00423B1C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240E9,?,00000000,004240F4), ref: 00423B46
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 77c70bcfc7927947356adb6f285545ec865374c17fa01f2fb7cfae3df505fd29
                                                                              • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                              • Opcode Fuzzy Hash: 77c70bcfc7927947356adb6f285545ec865374c17fa01f2fb7cfae3df505fd29
                                                                              • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                              Function 00453930 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: 008a9077d124f579bb04a1004ac0de0847756ec584201c2ea88912a5e1bb432e
                                                                              • Instruction ID: f3c69ebd9ed117dfcaeb8cc8e69b6e769c8652df099553d2070ab915e5811657
                                                                              • Opcode Fuzzy Hash: 008a9077d124f579bb04a1004ac0de0847756ec584201c2ea88912a5e1bb432e
                                                                              • Instruction Fuzzy Hash: 6CD0C2F120820053C701AE6C9C826DA358C8B84316F10483E7CC5EA3C3E6BCDB48965A
                                                                              Function 0042ECCC Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ECE8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 9024b4e4831e1ae9fb058c403311c5830c57d00addc6cc7f2e9f7de8ab8c4f6c
                                                                              • Instruction ID: cb239410a598a835b8bea7527afbeda5977673bb60cf362c78a8a88c20d7e3ba
                                                                              • Opcode Fuzzy Hash: 9024b4e4831e1ae9fb058c403311c5830c57d00addc6cc7f2e9f7de8ab8c4f6c
                                                                              • Instruction Fuzzy Hash: 2BD0A77120010CAFCB00DEDAD840C6F33ADAB88700B60C915F518C7201C234EC51D7B8
                                                                              Function 00468CA0 Relevance: 65.1, APIs: 1, Strings: 36, Instructions: 391registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 390 468ca0-468cd0 391 468cd2-468cd9 390->391 392 468cdb 390->392 393 468ce2-468d1a call 403634 call 403738 call 42dcd8 391->393 392->393 400 468d35-468d5e call 403738 call 42dbfc 393->400 401 468d1c-468d30 call 403738 call 42dcd8 393->401 409 468d60-468d69 call 468a7c 400->409 410 468d6e-468d97 call 468b98 400->410 401->400 409->410 414 468da9-468dac call 403400 410->414 415 468d99-468da7 call 403494 410->415 419 468db1-468dfc call 468b98 call 42c394 call 468be0 call 468b98 414->419 415->419 428 468e12-468e33 call 453930 call 468b98 419->428 429 468dfe-468e11 call 468c08 419->429 436 468e35-468e88 call 468b98 call 4725b8 call 468b98 call 4725b8 call 468b98 428->436 437 468e89-468e90 428->437 429->428 436->437 438 468e92-468ecf call 4725b8 call 468b98 call 4725b8 call 468b98 437->438 439 468ed0-468ed7 437->439 438->439 441 468f18-468f1c 439->441 442 468ed9-468f17 call 468b98 * 3 439->442 447 468f1e-468f29 call 474c8c 441->447 448 468f2b-468f34 call 403494 441->448 442->441 455 468f39-469106 call 403778 call 468b98 call 474c8c call 468be0 call 403494 call 40357c * 2 call 468b98 call 403494 call 40357c * 2 call 468b98 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c 447->455 448->455 534 46911c-46912a call 468c08 455->534 535 469108-46911a call 468b98 455->535 539 46912f 534->539 540 469130-469158 call 468c08 call 468c3c call 468b98 535->540 539->540 546 46915d-469165 540->546 547 469167-46919d call 48bd54 546->547 548 4691bf-4691d5 RegCloseKey 546->548 547->548
                                                                              APIs
                                                                                • Part of subcall function 00468B98: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00492070,?,00468D8F,?,00000000,004691D6,?,_is1), ref: 00468BBB
                                                                              • RegCloseKey.ADVAPI32(?,004691DD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00469225,?,?,00000001,00492070), ref: 004691D0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValue
                                                                              • String ID: " /SILENT$5.2.2$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                              • API String ID: 3132538880-2888065510
                                                                              • Opcode ID: 8e400fefc372f4228430415f0abf4997977dbf4c0148ece2af7f1ed10c744407
                                                                              • Instruction ID: 2b184e7f52b8dd81450d0be586453aca755d6178f524d2079868e467ff7f2638
                                                                              • Opcode Fuzzy Hash: 8e400fefc372f4228430415f0abf4997977dbf4c0148ece2af7f1ed10c744407
                                                                              • Instruction Fuzzy Hash: 11E15474A00109AFDB04DB95D995DAE73BDEB44304F60857BE4006B395EFB8BE01CB6A
                                                                              Function 004898F0 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 915 4898f0-489924 call 403684 918 48993a-489947 call 403684 915->918 919 489926-489935 call 44660c Sleep 915->919 925 489949-48996c call 446668 call 403738 FindWindowA call 4468e8 918->925 926 489976-489983 call 403684 918->926 924 489dca-489de4 call 403420 919->924 945 489971 925->945 933 4899b2-4899bf call 403684 926->933 934 489985-4899ad call 446668 call 403738 FindWindowA call 4468e8 926->934 943 489a08-489a15 call 403684 933->943 944 4899c1-489a03 call 44660c * 4 SendMessageA call 4468e8 933->944 934->924 953 489a64-489a71 call 403684 943->953 954 489a17-489a5f call 44660c * 4 PostMessageA call 446740 943->954 944->924 945->924 963 489ac0-489acd call 403684 953->963 964 489a73-489abb call 44660c * 4 SendNotifyMessageA call 446740 953->964 954->924 976 489afa-489b07 call 403684 963->976 977 489acf-489af5 call 446668 call 403738 RegisterClipboardFormatA call 4468e8 963->977 964->924 988 489b48-489b55 call 403684 976->988 989 489b09-489b43 call 44660c * 3 SendMessageA call 4468e8 976->989 977->924 1004 489b9c-489ba9 call 403684 988->1004 1005 489b57-489b97 call 44660c * 3 PostMessageA call 446740 988->1005 989->924 1015 489bab-489beb call 44660c * 3 SendNotifyMessageA call 446740 1004->1015 1016 489bf0-489bfd call 403684 1004->1016 1005->924 1015->924 1027 489bff-489c1d call 446668 call 42e1d0 1016->1027 1028 489c52-489c5f call 403684 1016->1028 1048 489c2f-489c3d GetLastError call 4468e8 1027->1048 1049 489c1f-489c2d call 4468e8 1027->1049 1038 489cd9-489ce6 call 403684 1028->1038 1039 489c61-489c8d call 446668 call 403738 call 44660c GetProcAddress 1028->1039 1053 489ce8-489d09 call 44660c FreeLibrary call 446740 1038->1053 1054 489d0e-489d1b call 403684 1038->1054 1073 489cc9-489cd4 call 446740 1039->1073 1074 489c8f-489cc4 call 44660c * 2 call 4468e8 call 446740 1039->1074 1060 489c42-489c4d call 4468e8 1048->1060 1049->1060 1053->924 1066 489d1d-489d3b call 446668 call 403738 CreateMutexA 1054->1066 1067 489d40-489d4d call 403684 1054->1067 1060->924 1066->924 1081 489d4f-489d81 call 446668 call 403574 call 403738 OemToCharBuffA call 4469bc 1067->1081 1082 489d83-489d90 call 403684 1067->1082 1073->924 1074->924 1081->924 1091 489d92-489dc4 call 446668 call 403574 call 403738 CharToOemBuffA call 4469bc 1082->1091 1092 489dc6 1082->1092 1091->924 1092->924
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000000,00489DE5,?,?,?,?,00000000,00000000,00000000), ref: 00489930
                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00489961
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FindSleepWindow
                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                              • API String ID: 3078808852-3310373309
                                                                              • Opcode ID: 11aadbbc4c170190f4a34afd2cca014936b750219a751b0faab1f1189547b9c9
                                                                              • Instruction ID: c39bd2ead2226f229d9df2653bd58b97473c78e3bea4bfa0a2e8f2c6fd329258
                                                                              • Opcode Fuzzy Hash: 11aadbbc4c170190f4a34afd2cca014936b750219a751b0faab1f1189547b9c9
                                                                              • Instruction Fuzzy Hash: A4C150A0B046406BD714FB7E8C4252E56999B89708B16CD3FB406EB78BCE3DDD06835E
                                                                              Function 0047B97C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1420 47b97c-47b9a1 GetModuleHandleA GetProcAddress 1421 47b9a3-47b9b9 GetNativeSystemInfo GetProcAddress 1420->1421 1422 47ba08-47ba0d GetSystemInfo 1420->1422 1423 47ba12-47ba1b 1421->1423 1424 47b9bb-47b9c6 GetCurrentProcess 1421->1424 1422->1423 1425 47ba1d-47ba21 1423->1425 1426 47ba2b-47ba32 1423->1426 1424->1423 1431 47b9c8-47b9cc 1424->1431 1428 47ba34-47ba3b 1425->1428 1429 47ba23-47ba27 1425->1429 1430 47ba4d-47ba52 1426->1430 1428->1430 1432 47ba3d-47ba44 1429->1432 1433 47ba29-47ba46 1429->1433 1431->1423 1434 47b9ce-47b9d5 call 450d18 1431->1434 1432->1430 1433->1430 1434->1423 1438 47b9d7-47b9e4 GetProcAddress 1434->1438 1438->1423 1439 47b9e6-47b9fd GetModuleHandleA GetProcAddress 1438->1439 1439->1423 1440 47b9ff-47ba06 1439->1440 1440->1423
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047B98D
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047B99A
                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047B9A8
                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047B9B0
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047B9BC
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047B9DD
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047B9F0
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047B9F6
                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047BA0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                              • API String ID: 2230631259-2623177817
                                                                              • Opcode ID: 81eacbfa1117fc802ce85a6eb806590c881bfcf0bf282382394a4f17a0ea04d1
                                                                              • Instruction ID: c73b0a6dce2ec8c546d6017445dcf813fc625a9fb72c38026e9dd29615451d51
                                                                              • Opcode Fuzzy Hash: 81eacbfa1117fc802ce85a6eb806590c881bfcf0bf282382394a4f17a0ea04d1
                                                                              • Instruction Fuzzy Hash: 1811BE42108340D8CB60B3B55D89BFB2658CB10718F18C43B688C76283EB7CCD849AEE
                                                                              Function 00463A24 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1441 463a24-463a5c call 474c8c 1444 463a62-463a72 call 471c34 1441->1444 1445 463c3e-463c58 call 403420 1441->1445 1450 463a77-463abc call 407884 call 403738 call 42dc34 1444->1450 1456 463ac1-463ac3 1450->1456 1457 463c34-463c38 1456->1457 1458 463ac9-463ade 1456->1458 1457->1445 1457->1450 1459 463af3-463afa 1458->1459 1460 463ae0-463aee call 42db64 1458->1460 1461 463b27-463b2e 1459->1461 1462 463afc-463b1e call 42db64 call 42db7c 1459->1462 1460->1459 1465 463b87-463b8e 1461->1465 1466 463b30-463b55 call 42db64 * 2 1461->1466 1462->1461 1481 463b20 1462->1481 1468 463bd4-463bdb 1465->1468 1469 463b90-463ba2 call 42db64 1465->1469 1488 463b57-463b60 call 4726ac 1466->1488 1489 463b65-463b77 call 42db64 1466->1489 1474 463c16-463c2c RegCloseKey 1468->1474 1475 463bdd-463c11 call 42db64 * 3 1468->1475 1482 463ba4-463bad call 4726ac 1469->1482 1483 463bb2-463bc4 call 42db64 1469->1483 1475->1474 1481->1461 1482->1483 1483->1468 1496 463bc6-463bcf call 4726ac 1483->1496 1488->1489 1489->1465 1497 463b79-463b82 call 4726ac 1489->1497 1496->1468 1497->1465
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,00463C3E,?,?,00000001,00000000,00000000,00463C59,?,00000000,00000000,?), ref: 00463C27
                                                                              Strings
                                                                              • Inno Setup: Deselected Components, xrefs: 00463B68
                                                                              • Inno Setup: Icon Group, xrefs: 00463B02
                                                                              • Inno Setup: Deselected Tasks, xrefs: 00463BB5
                                                                              • Inno Setup: User Info: Name, xrefs: 00463BE3
                                                                              • Inno Setup: Setup Type, xrefs: 00463B36
                                                                              • Inno Setup: Selected Components, xrefs: 00463B46
                                                                              • Inno Setup: Selected Tasks, xrefs: 00463B93
                                                                              • Inno Setup: App Path, xrefs: 00463AE6
                                                                              • Inno Setup: No Icons, xrefs: 00463B0F
                                                                              • Inno Setup: User Info: Organization, xrefs: 00463BF6
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00463A83
                                                                              • Inno Setup: User Info: Serial, xrefs: 00463C09
                                                                              • %s\%s_is1, xrefs: 00463AA1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1093091907
                                                                              • Opcode ID: 8d6299267fc6cafed9e48b8ef22c3bd00aa88e6b0c1ec62e8969358afa6a497b
                                                                              • Instruction ID: dbabc4e6d65f788916ea02928a74f772d248f11b4c629be6c36095f62d234fb1
                                                                              • Opcode Fuzzy Hash: 8d6299267fc6cafed9e48b8ef22c3bd00aa88e6b0c1ec62e8969358afa6a497b
                                                                              • Instruction Fuzzy Hash: 9251A134A00788ABCB11DF65D952BDEBBB4EF44304F5080AAE844A7396E7786F05CB4D
                                                                              Function 0047572C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1659 47572c-475782 call 42c394 call 4035c0 call 4753a8 call 450bd4 1668 475784-475789 call 451940 1659->1668 1669 47578e-47579d call 450bd4 1659->1669 1668->1669 1673 4757b7-4757bd 1669->1673 1674 47579f-4757a5 1669->1674 1677 4757d4-4757fc call 42e1d0 * 2 1673->1677 1678 4757bf-4757c5 1673->1678 1675 4757c7-4757cf call 403494 1674->1675 1676 4757a7-4757ad 1674->1676 1675->1677 1676->1673 1679 4757af-4757b5 1676->1679 1685 475823-47583d GetProcAddress 1677->1685 1686 4757fe-47581e call 407884 call 451940 1677->1686 1678->1675 1678->1677 1679->1673 1679->1675 1687 47583f-475844 call 451940 1685->1687 1688 475849-475866 call 403400 * 2 1685->1688 1686->1685 1687->1688
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(6FBC0000,SHGetFolderPathA), ref: 0047582E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: 2H$Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                              • API String ID: 190572456-2806916834
                                                                              • Opcode ID: 6343bc9988d6265b4ba6d281d40f77122325604365d66226f20c22221f21ac89
                                                                              • Instruction ID: 5a4b97917b168a48da4d645f6c4bb0672a7e70e8e7de77cb767a7cd1621b6e88
                                                                              • Opcode Fuzzy Hash: 6343bc9988d6265b4ba6d281d40f77122325604365d66226f20c22221f21ac89
                                                                              • Instruction Fuzzy Hash: FD311F70A00609DFCB10EBA5D982ADEB7B5EB04314F618477E804EF251D7B8AE04CB9D
                                                                              Function 0042380C Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1808 42380c-423816 1809 42393f-423943 1808->1809 1810 42381c-42383e call 41f35c GetClassInfoA 1808->1810 1813 423840-423857 RegisterClassA 1810->1813 1814 42386f-423878 GetSystemMetrics 1810->1814 1813->1814 1815 423859-42386a call 408c4c call 40311c 1813->1815 1816 42387a 1814->1816 1817 42387d-423887 GetSystemMetrics 1814->1817 1815->1814 1816->1817 1819 423889 1817->1819 1820 42388c-4238e8 call 403738 call 4062f0 call 403400 call 4235e4 SetWindowLongA 1817->1820 1819->1820 1831 423902-423930 GetSystemMenu DeleteMenu * 2 1820->1831 1832 4238ea-4238fd call 424110 SendMessageA 1820->1832 1831->1809 1834 423932-42393a DeleteMenu 1831->1834 1832->1831 1834->1809
                                                                              APIs
                                                                                • Part of subcall function 0041F35C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED3C,?,00423827,00423BA4,0041ED3C), ref: 0041F37A
                                                                              • GetClassInfoA.USER32(00400000,00423614), ref: 00423837
                                                                              • RegisterClassA.USER32(00490630), ref: 0042384F
                                                                              • GetSystemMetrics.USER32(00000000), ref: 00423871
                                                                              • GetSystemMetrics.USER32(00000001), ref: 00423880
                                                                              • SetWindowLongA.USER32(004105E8,000000FC,00423624), ref: 004238DC
                                                                              • SendMessageA.USER32(004105E8,00000080,00000001,00000000), ref: 004238FD
                                                                              • GetSystemMenu.USER32(004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4,0041ED3C), ref: 00423908
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4,0041ED3C), ref: 00423917
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423924
                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042393A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                              • String ID:
                                                                              • API String ID: 183575631-0
                                                                              • Opcode ID: 366bcff5bffb3164fdbe23fc2e60ac014bdc14989a75390d73933288121bc891
                                                                              • Instruction ID: 7dff32b1696b5347cc3ef800d63acf607d09fd6a935ce00206748f93829a4864
                                                                              • Opcode Fuzzy Hash: 366bcff5bffb3164fdbe23fc2e60ac014bdc14989a75390d73933288121bc891
                                                                              • Instruction Fuzzy Hash: 003171B17402506AEB10BF659C82F663698AB14708F60017BFA44EF2E7C6BDED40876D
                                                                              Function 0042ED0C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1836 42ed0c-42ed16 1837 42ed20-42ed5d call 402b30 GetActiveWindow GetFocus call 41ee3c 1836->1837 1838 42ed18-42ed1b call 402d30 1836->1838 1844 42ed6f-42ed77 1837->1844 1845 42ed5f-42ed69 RegisterClassA 1837->1845 1838->1837 1846 42edfe-42ee1a SetFocus call 403400 1844->1846 1847 42ed7d-42edae CreateWindowExA 1844->1847 1845->1844 1847->1846 1849 42edb0-42edf4 call 424214 call 403738 CreateWindowExA 1847->1849 1849->1846 1855 42edf6-42edf9 ShowWindow 1849->1855 1855->1846
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042ED3B
                                                                              • GetFocus.USER32 ref: 0042ED43
                                                                              • RegisterClassA.USER32(004907AC), ref: 0042ED64
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EE38,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EDA2
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EDE8
                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EDF9
                                                                              • SetFocus.USER32(00000000,00000000,0042EE1B,?,?,?,00000001,00000000,?,0045632E,00000000,00491628), ref: 0042EE00
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                              • String ID: TWindowDisabler-Window
                                                                              • API String ID: 3167913817-1824977358
                                                                              • Opcode ID: 3d4f519cdb620a71b4f0e13988cdd06d59f2b7e8071267d81529963f17bb93ef
                                                                              • Instruction ID: a8040b228ffa9ea72695ab5da3b332a361a093092e16a63929ba4bab04f271a4
                                                                              • Opcode Fuzzy Hash: 3d4f519cdb620a71b4f0e13988cdd06d59f2b7e8071267d81529963f17bb93ef
                                                                              • Instruction Fuzzy Hash: 5B21E570740711BBE310EB62DC02F1776A8EB00B04F614437F504AB2D2D7BCAC4086AC
                                                                              Function 004517EC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1856 4517ec-45183d GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1857 45183f-451846 1856->1857 1858 451848-45184a 1856->1858 1857->1858 1859 45184c 1857->1859 1860 45184e-451884 call 42e1d0 call 42e650 call 403400 1858->1860 1859->1860
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 0045180C
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451812
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 00451826
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045182C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: fd822e8785bcc495b0541c45cdb3aa014e2fe203dd414402aff0c87aba0b0540
                                                                              • Instruction ID: b872f96e2855e1e26fba384a70127fce6a1bfa28dc68f2582c11e45a4918eba5
                                                                              • Opcode Fuzzy Hash: fd822e8785bcc495b0541c45cdb3aa014e2fe203dd414402aff0c87aba0b0540
                                                                              • Instruction Fuzzy Hash: 9C018474200341AEDB21FBA29C06B963A58D711799F50483BFC00966B3D7FC4C088A2D
                                                                              Function 00475400 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00475573,?,?,00000000,00491628,00000000,00000000,?,0048F526,00000000,0048F6CF,?,00000000), ref: 00475493
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00475573,?,?,00000000,00491628,00000000,00000000,?,0048F526,00000000,0048F6CF,?,00000000), ref: 0047549C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                              • API String ID: 1375471231-1421604804
                                                                              • Opcode ID: 7242027f50a6839e64bb15ed11bf6ce5b440476fb49e9234b4e706b21fbee4ab
                                                                              • Instruction ID: d88b9792eba20e06b3b9cfa71813e17b1e270a25d1f95deed3261327946b49cc
                                                                              • Opcode Fuzzy Hash: 7242027f50a6839e64bb15ed11bf6ce5b440476fb49e9234b4e706b21fbee4ab
                                                                              • Instruction Fuzzy Hash: 0B415634A00609ABCB01EF95C881ADEB7B5EF48305F50843BE9157B396DB78AE05CF58
                                                                              Function 004300EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004300F4
                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430103
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0043011D
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 0043013E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                              • API String ID: 4130936913-2943970505
                                                                              • Opcode ID: 9528230066ae32ba9963f774afa01b65538c4e95d61a1536fc76262b92547268
                                                                              • Instruction ID: a1a34dee2eef4cb6902cc6c5db4b5b1e6b8a528ce901b829395f91b2b6c2fdf2
                                                                              • Opcode Fuzzy Hash: 9528230066ae32ba9963f774afa01b65538c4e95d61a1536fc76262b92547268
                                                                              • Instruction Fuzzy Hash: E6F082708483808ADB00EB75880271A7BE0AB58708F04467FF898A63E1D7399900DF5F
                                                                              Function 004533F8 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453614,00453614,?,00453614,00000000), ref: 004535A0
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453614,00453614,?,00453614), ref: 004535AD
                                                                                • Part of subcall function 00453364: WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                                • Part of subcall function 00453364: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                                • Part of subcall function 00453364: GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                                • Part of subcall function 00453364: CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                              • API String ID: 854858120-615399546
                                                                              • Opcode ID: 08d223736257814d70cc7505230b24bb262e9e7c1e193099fc0a6506b054be0b
                                                                              • Instruction ID: 03a2ba6a9c4a75c0bfd5b6233ad26ca07513ce10ebe49def0aa635c75447425c
                                                                              • Opcode Fuzzy Hash: 08d223736257814d70cc7505230b24bb262e9e7c1e193099fc0a6506b054be0b
                                                                              • Instruction Fuzzy Hash: 5951457460034DABCB11EFA5C882B9DBBB9AF45746F50443BB804A7392D7789B098B58
                                                                              Function 00423624 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 004236B4
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 004236E1
                                                                              • OemToCharA.USER32(?,?), ref: 004236F4
                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 00423734
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                              • String ID: 2$MAINICON
                                                                              • API String ID: 3935243913-3181700818
                                                                              • Opcode ID: 5ad8e3604f1f32e74ba47cab6a6b350967c25182e40fe1827ea70e846fac0e36
                                                                              • Instruction ID: a9bc4bb92a206677b73de4cdc18b7b415be5be97d03745e7619b52054e60faee
                                                                              • Opcode Fuzzy Hash: 5ad8e3604f1f32e74ba47cab6a6b350967c25182e40fe1827ea70e846fac0e36
                                                                              • Instruction Fuzzy Hash: EE31A2B0A042559ADB10EF79C8C57C67BE8AF14308F4441BAE844DB393D7BED988CB59
                                                                              Function 00418ED0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418ED5
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418EF6
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F11
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F32
                                                                                • Part of subcall function 00423060: 73A1A570.USER32(00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230B6
                                                                                • Part of subcall function 00423060: EnumFontsA.GDI32(00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230C9
                                                                                • Part of subcall function 00423060: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230D1
                                                                                • Part of subcall function 00423060: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230DC
                                                                                • Part of subcall function 00423624: LoadIconA.USER32(00400000,MAINICON), ref: 004236B4
                                                                                • Part of subcall function 00423624: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 004236E1
                                                                                • Part of subcall function 00423624: OemToCharA.USER32(?,?), ref: 004236F4
                                                                                • Part of subcall function 00423624: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 00423734
                                                                                • Part of subcall function 0041F0B0: GetVersion.KERNEL32(?,00418F88,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                                • Part of subcall function 0041F0B0: SetErrorMode.KERNEL32(00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0DA
                                                                                • Part of subcall function 0041F0B0: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0E6
                                                                                • Part of subcall function 0041F0B0: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0F4
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F124
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F14D
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F162
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F177
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F18C
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1A1
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1B6
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1CB
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1E0
                                                                                • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1F5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                              • API String ID: 3864787166-2767913252
                                                                              • Opcode ID: 4c26dbfd22db78521be0a09630effd929be79fefc8ff9fe1c91013bb97fcb4f6
                                                                              • Instruction ID: 31da0b60f3cb059b68cd2024c7d929c347bad9d9a2b787a7abb6bbdbc55677b1
                                                                              • Opcode Fuzzy Hash: 4c26dbfd22db78521be0a09630effd929be79fefc8ff9fe1c91013bb97fcb4f6
                                                                              • Instruction Fuzzy Hash: 901100B4A182419AC740FF7A984274A77E1ABA4309F44853FF448EB3E1DB3D99458B1E
                                                                              Function 004135D4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 004135FC
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00413607
                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413619
                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 0041362C
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 00413643
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 0041365A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$Prop
                                                                              • String ID:
                                                                              • API String ID: 3887896539-0
                                                                              • Opcode ID: 4339cc9e18f10e45379eff93a9f1c90239a28d3597131de0ecc2ed647b007356
                                                                              • Instruction ID: 0f0adcb05922a230dec6ee4b02f9febc34160f2d73bea823af684f70641d33a7
                                                                              • Opcode Fuzzy Hash: 4339cc9e18f10e45379eff93a9f1c90239a28d3597131de0ecc2ed647b007356
                                                                              • Instruction Fuzzy Hash: 5A11CC76100244BFDF40DF99DC88E9A3BF8AB19364F114266F918DB2E1D739DD908B58
                                                                              Function 00453A6C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453C03,?,00000000,00453C43), ref: 00453B49
                                                                              Strings
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453ACC
                                                                              • WININIT.INI, xrefs: 00453B78
                                                                              • PendingFileRenameOperations2, xrefs: 00453B18
                                                                              • PendingFileRenameOperations, xrefs: 00453AE8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                              • API String ID: 47109696-2199428270
                                                                              • Opcode ID: 2c258d37aee220e3f69fdfe60538bfbf1130a528104dc47db43563c74dd72cc1
                                                                              • Instruction ID: e17426e9fbb7a66f5e6261b5980cfadcb0f519ca5f0626cdc819d35c9a67e570
                                                                              • Opcode Fuzzy Hash: 2c258d37aee220e3f69fdfe60538bfbf1130a528104dc47db43563c74dd72cc1
                                                                              • Instruction Fuzzy Hash: 8551A571E002489BDB11EF61DC51ADEB7B9EF44345F5081BBE804B7282EB78AB45CA18
                                                                              Function 00461F04 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00461FA1
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461FC7
                                                                                • Part of subcall function 00461E44: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00461EDC
                                                                                • Part of subcall function 00461E44: DestroyCursor.USER32(00000000), ref: 00461EF2
                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00462023
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462049
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                                                              • String ID: c:\directory
                                                                              • API String ID: 2926980410-3984940477
                                                                              • Opcode ID: 5194c65c3269dafb1668497fbf87d1d210523d8897b60a23e8c3a4391423d21e
                                                                              • Instruction ID: 7ea75e076aff8093e5049247e13a602e38cf95ebb48025f5e3f3f0ae895ce402
                                                                              • Opcode Fuzzy Hash: 5194c65c3269dafb1668497fbf87d1d210523d8897b60a23e8c3a4391423d21e
                                                                              • Instruction Fuzzy Hash: 0E417034600648AFDB21DB65CD89FDBBBE9EB48704F1040A6F904D7391D679EE80CB59
                                                                              Function 004531BC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045326A
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00453330), ref: 004532D4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharMultiProcWide
                                                                              • String ID: P@3n$SfcIsFileProtected$sfc.dll
                                                                              • API String ID: 2508298434-1733997552
                                                                              • Opcode ID: a7581481b25a0738c2b9d603de68152674b802b49e63467cb469883107568cfe
                                                                              • Instruction ID: da0c0b73e4484b0d956c0617eda922bc647b017f41fd73a43e663524e5650ff4
                                                                              • Opcode Fuzzy Hash: a7581481b25a0738c2b9d603de68152674b802b49e63467cb469883107568cfe
                                                                              • Instruction Fuzzy Hash: F4417470A003189BEB10DF65DC89B9D77A8EB0430AF5080B7AD08A7292D7785F48CF1C
                                                                              Function 0042DC5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 0042DC68
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DDEB,00000000,0042DE03,?,?,?,?,00000005,?,00000000,0048E932), ref: 0042DC83
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DC89
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                              • API String ID: 588496660-1846899949
                                                                              • Opcode ID: b0fbce93ce575fdc2c8693853eb6255ef9b1a7508dcdbe8f5181661bc77f2907
                                                                              • Instruction ID: eddbb1ccdc479b08d3a5db846f04dddb9c9689732034fbf648c66dc0f13b918d
                                                                              • Opcode Fuzzy Hash: b0fbce93ce575fdc2c8693853eb6255ef9b1a7508dcdbe8f5181661bc77f2907
                                                                              • Instruction Fuzzy Hash: EAE06DF0F41230ABD620276BBC4AFA3262C9F65325F584437F106A62A186FC4C80DF5C
                                                                              Function 0047B128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?,?,00000000,0047B43D,?,?,00000001,?), ref: 0047B239
                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047B2AE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveChangeNotifyWindow
                                                                              • String ID: $Need to restart Windows? %s
                                                                              • API String ID: 1160245247-4200181552
                                                                              • Opcode ID: 49b3778517713bdb2557e46826310c4bd597fc09cdaeb7894a3b6d26a91a25b2
                                                                              • Instruction ID: 114ac4b44b5b00e731bcf7b635d291de4245cdb37201357886b7dcbb33a133ac
                                                                              • Opcode Fuzzy Hash: 49b3778517713bdb2557e46826310c4bd597fc09cdaeb7894a3b6d26a91a25b2
                                                                              • Instruction Fuzzy Hash: 4E91A3346042459FCB00EB69D885B9E77F4EF55304F1080BBE8049B362DB78AD45CB9E
                                                                              Function 0046956C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                              • GetLastError.KERNEL32(00000000,00469769,?,?,00000001,00492070), ref: 00469646
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 004696C0
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004696E5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$CharErrorFullLastNamePathPrev
                                                                              • String ID: Creating directory: %s
                                                                              • API String ID: 2168629741-483064649
                                                                              • Opcode ID: 3d4be0d59a8186afbe19147c6485f89fb6dd7a99673a3f76b68947bb98e15cf6
                                                                              • Instruction ID: 39fbb5110f2ce61d64d63b7eb4c6f8db95eeecb92d3a4444acd7006c5b3e2544
                                                                              • Opcode Fuzzy Hash: 3d4be0d59a8186afbe19147c6485f89fb6dd7a99673a3f76b68947bb98e15cf6
                                                                              • Instruction Fuzzy Hash: F4512274A04248EBDB01DFA5D582BDEB7F9AF48305F50816AE811B7382D7B85E04CB59
                                                                              Function 00450DE4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,L]E,00000000,4]E,?,?,?,00000000,00450E5E,?,?,?,00000001), ref: 00450E38
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,L]E,00000000,4]E,?,?,?,00000000,00450E5E,?,?,?,00000001), ref: 00450E40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastProcess
                                                                              • String ID: 4]E$L]E
                                                                              • API String ID: 2919029540-3190835428
                                                                              • Opcode ID: 8d7e75a497fa8892f9d2aaf0e610c0da6345f1f110309fad47ac0f1205f36ccc
                                                                              • Instruction ID: 36614b17b6321cc5c4ec2c76ccd23ddb11372e56904a959455bbf5e2affa7189
                                                                              • Opcode Fuzzy Hash: 8d7e75a497fa8892f9d2aaf0e610c0da6345f1f110309fad47ac0f1205f36ccc
                                                                              • Instruction Fuzzy Hash: F3113976600208AF8B50DEA9EC41DEFB7ECEB4D710B614966BD08D3241D638EE158BA4
                                                                              Function 00453DA4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,00453E0F,?,00000001,00000000), ref: 00453E02
                                                                              Strings
                                                                              • PendingFileRenameOperations2, xrefs: 00453DE3
                                                                              • PendingFileRenameOperations, xrefs: 00453DD4
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453DB0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                              • API String ID: 47109696-2115312317
                                                                              • Opcode ID: 36db5bb17954ea767181804f2f85a17aed559ad6800464154c3dbb056f6ae4bf
                                                                              • Instruction ID: 4b6a90d0bc14d3bc9c3fb9912a03eb94e7c702ceaa5b5df73397897c0cee9a07
                                                                              • Opcode Fuzzy Hash: 36db5bb17954ea767181804f2f85a17aed559ad6800464154c3dbb056f6ae4bf
                                                                              • Instruction Fuzzy Hash: B2F0C232344308BBDB06DA669C03A1AB7DCD744752FA0446AF80097A82DA79BF14962C
                                                                              Function 0046BC18 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0046BDE9,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172), ref: 0046BDC5
                                                                              • FindClose.KERNEL32(000000FF,0046BDF0,0046BDE9,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172,?), ref: 0046BDE3
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0046BF0B,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172), ref: 0046BEE7
                                                                              • FindClose.KERNEL32(000000FF,0046BF12,0046BF0B,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172,?), ref: 0046BF05
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: bf85992c3290785de341d74331a1fc3e3988298a1f831191f2a0cc2316a5c01a
                                                                              • Instruction ID: 2dae98842d91c59889c1c18b4767c348dd3ab6512f57785b0b5d287fbef141cf
                                                                              • Opcode Fuzzy Hash: bf85992c3290785de341d74331a1fc3e3988298a1f831191f2a0cc2316a5c01a
                                                                              • Instruction Fuzzy Hash: DEB12D3490425D9FCF11DFA5C841ADEBBB9FF48304F5081AAE808A7261D7399A85CF95
                                                                              Function 0042120C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetMenu.USER32(00000000), ref: 004212F9
                                                                              • SetMenu.USER32(00000000,00000000), ref: 00421316
                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042134B
                                                                              • SetMenu.USER32(00000000,00000000), ref: 00421367
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu
                                                                              • String ID:
                                                                              • API String ID: 3711407533-0
                                                                              • Opcode ID: cd3a93c2cf138dab4565f8db6c0a338113bdbac6dcb4a2090afdd25f9904c4a9
                                                                              • Instruction ID: 5ba189b3e664db15440fa69ae7d8eea0be5862094bc30d9b2d5c91e26853f135
                                                                              • Opcode Fuzzy Hash: cd3a93c2cf138dab4565f8db6c0a338113bdbac6dcb4a2090afdd25f9904c4a9
                                                                              • Instruction Fuzzy Hash: A341913070025457EB20AB39A8857AA36A65B65748F4805BFFC45DF3A7CA7DCC49826C
                                                                              Function 0044A784 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,00000000,00000000,00000000,0044A8C7,?,?,?,?), ref: 0044A81B
                                                                              • SelectObject.GDI32(?,00000000), ref: 0044A841
                                                                              • DrawTextA.USER32(?,00000000,00000000,00000000,00000000), ref: 0044A86E
                                                                              • 73A1A480.USER32(00000000,?,0044A893,0044A88C,?,00000000,00000000,00000000,00000000,0044A8C7,?,?,?,?), ref: 0044A886
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570DrawObjectSelectText
                                                                              • String ID:
                                                                              • API String ID: 1593990899-0
                                                                              • Opcode ID: 13e7f46594410429415eb3c83e8a379f550846bd814c016b0beec29a33dfd232
                                                                              • Instruction ID: 162fa924c01e8769bffc667adf009b74f6d8a2415f726b074ddb38969f1a9430
                                                                              • Opcode Fuzzy Hash: 13e7f46594410429415eb3c83e8a379f550846bd814c016b0beec29a33dfd232
                                                                              • Instruction Fuzzy Hash: 7A314C70E44208AFEB11EBA5C845F9EBBF9EB48304F5180B6F404E7291D7389E55CB19
                                                                              Function 00416ADA Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B1C
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416B36
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416B50
                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B78
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                              • String ID:
                                                                              • API String ID: 601730667-0
                                                                              • Opcode ID: 1db9439961d16d8c2abea4fe5464b0a9e2b87304c89db61a0dbe8b2136cc1a78
                                                                              • Instruction ID: ede9de0c36d47e69a987b7ca94d8f010d1f25b9d4ebdef75bfe2fd84eb8d61b5
                                                                              • Opcode Fuzzy Hash: 1db9439961d16d8c2abea4fe5464b0a9e2b87304c89db61a0dbe8b2136cc1a78
                                                                              • Instruction Fuzzy Hash: B11121B2204610AFC710EE6ECDC4E9777ECDF49314715882AB59ADB616C638FC418B69
                                                                              Function 00423A1C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumWindows.USER32(004239B4), ref: 00423A40
                                                                              • GetWindow.USER32(?,00000003), ref: 00423A55
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423A64
                                                                              • SetWindowPos.USER32(00000000,004240F4,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424143,?,?,00423D0B), ref: 00423A9A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnumLongWindows
                                                                              • String ID:
                                                                              • API String ID: 4191631535-0
                                                                              • Opcode ID: a3dddf2818e85b0a7412034cdc93827fed5f39f9f86c9025a0e1ddd06f9f1a23
                                                                              • Instruction ID: 78858b55759cffc047babf0828248a40a9e7283faaf25bc92fdcf5910b1e6d89
                                                                              • Opcode Fuzzy Hash: a3dddf2818e85b0a7412034cdc93827fed5f39f9f86c9025a0e1ddd06f9f1a23
                                                                              • Instruction Fuzzy Hash: 6F112A71704620AFEB10DF28D985F5677F8EB48725F11026AF9A4AB2E2C3789D40CB58
                                                                              Function 00423060 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230B6
                                                                              • EnumFontsA.GDI32(00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230C9
                                                                              • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230D1
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A24620A480A570EnumFonts
                                                                              • String ID:
                                                                              • API String ID: 2630238358-0
                                                                              • Opcode ID: 99f52810c9749a5cbd9ff2f136ef96ebea9bad732b838abe369f9f052bbb00dd
                                                                              • Instruction ID: 480ad96ec471ac809db642ed0e84659cb32dc22bff5912eb34c1548d136fbca0
                                                                              • Opcode Fuzzy Hash: 99f52810c9749a5cbd9ff2f136ef96ebea9bad732b838abe369f9f052bbb00dd
                                                                              • Instruction Fuzzy Hash: 3A0192617043002AE710BF795C86B9B7B649F05319F54427BF904AA3C7DABE9805476E
                                                                              Function 00459770 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044FAC4: SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                              • FlushFileBuffers.KERNEL32(?), ref: 004599B4
                                                                              Strings
                                                                              • EndOffset range exceeded, xrefs: 004598D6
                                                                              • NumRecs range exceeded, xrefs: 0045989F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$BuffersFlush
                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                              • API String ID: 3593489403-659731555
                                                                              • Opcode ID: 1f2bc0606a5f0983b0ea1b8ab0875cedde292d15a2ed6b25246784c604d14e3d
                                                                              • Instruction ID: 05f19677e5008765b15c4a6d8796d41a2b093650de1072065c8b92715952b680
                                                                              • Opcode Fuzzy Hash: 1f2bc0606a5f0983b0ea1b8ab0875cedde292d15a2ed6b25246784c604d14e3d
                                                                              • Instruction Fuzzy Hash: D6615F34A00258CBDB25DF25C841ADAB3B5EB49305F0085EBED49AB352D7B4AEC9CF54
                                                                              Function 0048FB00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0048FB0E), ref: 0040334B
                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0048FB0E), ref: 00403356
                                                                                • Part of subcall function 00409B10: 6F551CD0.COMCTL32(0048FB1D), ref: 00409B10
                                                                                • Part of subcall function 004108EC: GetCurrentThreadId.KERNEL32 ref: 0041093A
                                                                                • Part of subcall function 00418FD8: GetVersion.KERNEL32(0048FB31), ref: 00418FD8
                                                                                • Part of subcall function 0044ECB8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048FB45), ref: 0044ECF3
                                                                                • Part of subcall function 0044ECB8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044ECF9
                                                                                • Part of subcall function 004517EC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 0045180C
                                                                                • Part of subcall function 004517EC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451812
                                                                                • Part of subcall function 004517EC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 00451826
                                                                                • Part of subcall function 004517EC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045182C
                                                                                • Part of subcall function 0045F420: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0048FB63), ref: 0045F42F
                                                                                • Part of subcall function 0045F420: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045F435
                                                                                • Part of subcall function 00467010: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00467025
                                                                                • Part of subcall function 00471A50: GetModuleHandleA.KERNEL32(kernel32.dll,?,0048FB6D), ref: 00471A56
                                                                                • Part of subcall function 00471A50: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00471A63
                                                                                • Part of subcall function 00471A50: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00471A73
                                                                                • Part of subcall function 0048CAAC: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048CAB1
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0048FBB5), ref: 0048FB87
                                                                                • Part of subcall function 0048F910: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048FB91,00000001,00000000,0048FBB5), ref: 0048F91A
                                                                                • Part of subcall function 0048F910: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0048F920
                                                                                • Part of subcall function 0042446C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0042448B
                                                                                • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                              • ShowWindow.USER32(?,00000005,00000000,0048FBB5), ref: 0048FBF8
                                                                                • Part of subcall function 0047A84C: SetActiveWindow.USER32(?), ref: 0047A8E6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
                                                                              • String ID: Setup
                                                                              • API String ID: 1049710048-3839654196
                                                                              • Opcode ID: 491b58e90ccc040da5be879388dfd3e873ea2da0a6ccdddc3a01f6d7e6a04dae
                                                                              • Instruction ID: 05e04b58d559349a16389a7bed4b2658fb8c322911455d768caeccd37b77f3a0
                                                                              • Opcode Fuzzy Hash: 491b58e90ccc040da5be879388dfd3e873ea2da0a6ccdddc3a01f6d7e6a04dae
                                                                              • Instruction Fuzzy Hash: 9F31E2312046009FD3017BB7EC6391E37E8EB897187624C7BF904866A3DE3D58548A6E
                                                                              Function 0042DA30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,?,00000000,0042DB51), ref: 0042DA68
                                                                              • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,00000000,?,ProductType,00000000,?,00000000,?,00000000,0042DB51), ref: 0042DAC0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID: ProductType
                                                                              • API String ID: 3660427363-120863269
                                                                              • Opcode ID: 6bfb4fd44eca12809ce3db0115c22f98bfdaa3bb87c7abec4c6d98565b8ebe83
                                                                              • Instruction ID: 720882c7ace9e3aee5e39c75bef508b614e07e55abf3e0c3cdebfe3487a701cd
                                                                              • Opcode Fuzzy Hash: 6bfb4fd44eca12809ce3db0115c22f98bfdaa3bb87c7abec4c6d98565b8ebe83
                                                                              • Instruction Fuzzy Hash: 47412A70E04118AFDF21DF95D895BEFBBB8EB05304F9185B7E410A7281D778AA44CB58
                                                                              Function 00452020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045210F,?,?,00000000,00491628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452066
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045210F,?,?,00000000,00491628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045206F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: b85b4929283630c48eadbf2cbebc30f3f6ab2d69d23499921ffdb8137f2e4c49
                                                                              • Instruction ID: 243ebf4b46ba542f7f276c497d58c5d8c2b9d78763f1d6c9208d69dc09338b99
                                                                              • Opcode Fuzzy Hash: b85b4929283630c48eadbf2cbebc30f3f6ab2d69d23499921ffdb8137f2e4c49
                                                                              • Instruction Fuzzy Hash: DB216274A00208ABDB01EFA5C9529DFB7B9EB48304F50443BED01B7382DA7C9E048AA5
                                                                              Function 0041EE3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                              • 73A25940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A25940CurrentThread
                                                                              • String ID: .cE
                                                                              • API String ID: 2655091166-2247376771
                                                                              • Opcode ID: 7114da14003f801617bc287ec153a09cbaa899a94acfa9cfc63b91c43064aad6
                                                                              • Instruction ID: 741d75755e19a406a31988a48b10835d357054a8eb3752de669f6350f9a9ffb3
                                                                              • Opcode Fuzzy Hash: 7114da14003f801617bc287ec153a09cbaa899a94acfa9cfc63b91c43064aad6
                                                                              • Instruction Fuzzy Hash: EA012975A04704BFD725CF66EC1195ABBF8E789720B22887BEC04D36A0F6345910EE18
                                                                              Function 00474F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00475196,00000000,004751AC,?,?,?,?,00000000), ref: 00474F72
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                              • API String ID: 3535843008-1113070880
                                                                              • Opcode ID: fb8125e15dd1e95c2c3fc40ad81d516763da28b9d41dee2f4fe7d1ea49f3ddbb
                                                                              • Instruction ID: ca8d2858b2af6c6aeca06424934b203f0131d6be77ca3c38012645fb33a7432b
                                                                              • Opcode Fuzzy Hash: fb8125e15dd1e95c2c3fc40ad81d516763da28b9d41dee2f4fe7d1ea49f3ddbb
                                                                              • Instruction Fuzzy Hash: AAF09631708244ABDB00D6A5AD56BAA37999741304F10807BF2048B291D7BDAE01C75C
                                                                              Function 0046EA14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046EC4B), ref: 0046EA39
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046EC4B), ref: 0046EA50
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                              • String ID: CreateFile
                                                                              • API String ID: 2528220319-823142352
                                                                              • Opcode ID: ad3004295afec78419ee0f198e40febc28fc91a26831ece3670bf70097c3d0fd
                                                                              • Instruction ID: 88c410d2b993a7dea7f257b246bf4907bd6482aa96eec96fb2f66064e7706465
                                                                              • Opcode Fuzzy Hash: ad3004295afec78419ee0f198e40febc28fc91a26831ece3670bf70097c3d0fd
                                                                              • Instruction Fuzzy Hash: ECE06D34780304BBEA10E6A9CCC6F097788AB04728F108156FA44AF3E2C5B9EC808619
                                                                              Function 00468C08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,p I,00000004,00000001,?,0046912F,?,?,00000000,004691D6,?,_is1,?), ref: 00468C1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: NoModify$p I
                                                                              • API String ID: 3702945584-149964347
                                                                              • Opcode ID: a2c7f905128bce9c85b7980fd93439cd1a7af668d1cf4a048e3beec408cb2ced
                                                                              • Instruction ID: 5f17656b713328f70f4e7e69c90c4b9631954771e6a11acddfbeddc3ad8a7337
                                                                              • Opcode Fuzzy Hash: a2c7f905128bce9c85b7980fd93439cd1a7af668d1cf4a048e3beec408cb2ced
                                                                              • Instruction Fuzzy Hash: D9E04FB4641308BFEB04DB95CD4AF6B77ACDB48750F10415EBA04DB290EA74EE00C668
                                                                              Function 00467010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042E1D0: SetErrorMode.KERNEL32(00008000), ref: 0042E1DA
                                                                                • Part of subcall function 0042E1D0: LoadLibraryA.KERNEL32(00000000,00000000,0042E224,?,00000000,0042E242,?,00008000), ref: 0042E209
                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00467025
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2492108670-2683653824
                                                                              • Opcode ID: c1407b3ed417c14e9cb1d4a508e91d73624d96c2cf720aa64d80b2131ee11c1c
                                                                              • Instruction ID: 4e6ef65d5c6372aab034aae14ce800510d414609db6ea871b3bf53974ffa5695
                                                                              • Opcode Fuzzy Hash: c1407b3ed417c14e9cb1d4a508e91d73624d96c2cf720aa64d80b2131ee11c1c
                                                                              • Instruction Fuzzy Hash: 12B092B062964582DE4067B2591272B210A974071CF50C43BB045AA699EB3D88056FAE
                                                                              Function 00450B0C Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 74D41520.VERSION(00000000,?,?,?,0048E9CD), ref: 00450B2C
                                                                              • 74D41500.VERSION(00000000,?,00000000,?,00000000,00450BA7,?,00000000,?,?,?,0048E9CD), ref: 00450B59
                                                                              • 74D41540.VERSION(?,00450BD0,?,?,00000000,?,00000000,?,00000000,00450BA7,?,00000000,?,?,?,0048E9CD), ref: 00450B73
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: D41500D41520D41540
                                                                              • String ID:
                                                                              • API String ID: 2153611984-0
                                                                              • Opcode ID: e74ac5882540819055a9b868d9ebfab0988b796822b5208a04ca06564a832d1d
                                                                              • Instruction ID: b3f7e617e94dee12745bb0ae154e14247ba12b6e1b33dbbe84f386d4bcc14397
                                                                              • Opcode Fuzzy Hash: e74ac5882540819055a9b868d9ebfab0988b796822b5208a04ca06564a832d1d
                                                                              • Instruction Fuzzy Hash: 11216275A00549AFDB01DAE98C81EAFB7FCEB49305F55447AFC00E3282D679AE04CB65
                                                                              Function 00424394 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004243AA
                                                                              • TranslateMessage.USER32(?), ref: 00424427
                                                                              • DispatchMessageA.USER32(?), ref: 00424431
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslate
                                                                              • String ID:
                                                                              • API String ID: 4217535847-0
                                                                              • Opcode ID: a1bcb0b4cddcccdb1809fa665ecf4e834a60a407fc84fe33fc01ef11a48cb8ff
                                                                              • Instruction ID: f41f362f8b510b916e1250aa7cd67eb3d1bf5f1abd6c75054d9fad27ae384175
                                                                              • Opcode Fuzzy Hash: a1bcb0b4cddcccdb1809fa665ecf4e834a60a407fc84fe33fc01ef11a48cb8ff
                                                                              • Instruction Fuzzy Hash: 8911C43130432056EA20E664B94179BB7D4DFC0B44FD0481EF8C987382D3BD9E85879B
                                                                              Function 004165DC Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetPropA.USER32(00000000,00000000), ref: 00416602
                                                                              • SetPropA.USER32(00000000,00000000), ref: 00416617
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041663E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Prop$Window
                                                                              • String ID:
                                                                              • API String ID: 3363284559-0
                                                                              • Opcode ID: abce75a93c7af2809daeccc10dca433874f6facc9e691e91c63ac67adcc77cdc
                                                                              • Instruction ID: 7e53595c330ddd8fac250eff5939085705778a4fd4c28fed0557c4acc79c9eac
                                                                              • Opcode Fuzzy Hash: abce75a93c7af2809daeccc10dca433874f6facc9e691e91c63ac67adcc77cdc
                                                                              • Instruction Fuzzy Hash: 11F0BD71701220ABE710AF59DC85FA632ECAB0D715F16017ABE05EF296C679DD4087A8
                                                                              Function 0041EDEC Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 0041EDFC
                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE06
                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EE2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableEnabledVisible
                                                                              • String ID:
                                                                              • API String ID: 3234591441-0
                                                                              • Opcode ID: 30cd10f9e6e6988f12bc522c3ddfac0ba0dd8a613fe51e8cb5c9acb32a7f50cd
                                                                              • Instruction ID: b74782cb620cf7184d956329234e82953052207085a66aea4c88563df6020a5c
                                                                              • Opcode Fuzzy Hash: 30cd10f9e6e6988f12bc522c3ddfac0ba0dd8a613fe51e8cb5c9acb32a7f50cd
                                                                              • Instruction Fuzzy Hash: 9CE0ED741003006EE720EB27DDC1A5B76ACAB15354F51843BEC09AB292D639D8408E7C
                                                                              Function 0047A84C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 0047A8E6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: InitializeWizard
                                                                              • API String ID: 2558294473-2356795471
                                                                              • Opcode ID: 5d27466cebfbd2aa7d2215f696880c43dc2b5c0733d824ec7b71431b4b67c958
                                                                              • Instruction ID: 4ef4d0f5891c0f271f91b124662a3bdbc4c54ac07b4307d288165ee679e51438
                                                                              • Opcode Fuzzy Hash: 5d27466cebfbd2aa7d2215f696880c43dc2b5c0733d824ec7b71431b4b67c958
                                                                              • Instruction Fuzzy Hash: CE11E571608205AFD304EB29EC41B5E37E4E755368F11487BF408873B1DB7A6814CB0E
                                                                              Function 00474E2C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00475072,00000000,004751AC), ref: 00474E71
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00474E41
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                              • API String ID: 47109696-1019749484
                                                                              • Opcode ID: 9ce991fdd72377c6560612b01921262f802a1c998dfb1707908bf7020ea89cf1
                                                                              • Instruction ID: 5e7d8204e1387e5276ff1e1c15c303683ce0c16dca96b1678201da73bf853054
                                                                              • Opcode Fuzzy Hash: 9ce991fdd72377c6560612b01921262f802a1c998dfb1707908bf7020ea89cf1
                                                                              • Instruction Fuzzy Hash: 82F0823270421467DA00A65A5C42BAEA69DABD4778F60403BF508EB242DBB99E0243AD
                                                                              Function 00468B98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00492070,?,00468D8F,?,00000000,004691D6,?,_is1), ref: 00468BBB
                                                                              Strings
                                                                              • Inno Setup: Setup Version, xrefs: 00468BB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: Inno Setup: Setup Version
                                                                              • API String ID: 3702945584-4166306022
                                                                              • Opcode ID: 55bc7da4cd8946349a8deaf42b7ea84ae745bbd3c125ab1bd1090d5bf08d9b73
                                                                              • Instruction ID: 1b93d253739ba50d70b0c298aadec07ca201889e3bbe27255cf69d985455c9ee
                                                                              • Opcode Fuzzy Hash: 55bc7da4cd8946349a8deaf42b7ea84ae745bbd3c125ab1bd1090d5bf08d9b73
                                                                              • Instruction Fuzzy Hash: E7E06D713412043FD710AA6E9C85F6BBBDCDF98765F10453AB908DB392D978DD0082A8
                                                                              Function 0042DC34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 0042DC4E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID: System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 71445658-1109719901
                                                                              • Opcode ID: 9e5b345e785c91b0f5a571fec93a41b1f6e0275645f0b6ae19fc6c92cfbd1549
                                                                              • Instruction ID: 1fa36bbc138ef5df8a79d56ad3489f1352038e5699f18f1501d42a01d3325c1b
                                                                              • Opcode Fuzzy Hash: 9e5b345e785c91b0f5a571fec93a41b1f6e0275645f0b6ae19fc6c92cfbd1549
                                                                              • Instruction Fuzzy Hash: ECD0C772910128BBDB10DA89DC41DF7775DDB59760F44401AFD0497141C1B4EC5197F4
                                                                              Function 0042DCD8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDD6,?,?,00000008,00000000,00000000,0042DE03), ref: 0042DD6C
                                                                              • RegCloseKey.ADVAPI32(?,0042DDDD,?,00000000,00000000,00000000,00000000,00000000,0042DDD6,?,?,00000008,00000000,00000000,0042DE03), ref: 0042DDD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseEnumOpen
                                                                              • String ID:
                                                                              • API String ID: 1332880857-0
                                                                              • Opcode ID: 73c2a03e679bf25bdfde315833b36e1b00f0765a82adf2df881adb15c1f56b70
                                                                              • Instruction ID: f99dc329d23035621923b5d2a774476ca06079cc80924e5db7f10a2c30e205d1
                                                                              • Opcode Fuzzy Hash: 73c2a03e679bf25bdfde315833b36e1b00f0765a82adf2df881adb15c1f56b70
                                                                              • Instruction Fuzzy Hash: 5531A370F04648AEDF11DFA2DD52BBFBBB9EB49304F90447BA400F6281D6385A01CA69
                                                                              Function 0040AF60 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF7A
                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0D7,00000000,0040B0EF,?,?,00000000,00000000), ref: 0040AF8B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindFree
                                                                              • String ID:
                                                                              • API String ID: 4097029671-0
                                                                              • Opcode ID: 7496c189695d688fdff99332259dad1589d6eadf15039624863e1fafd028cd3d
                                                                              • Instruction ID: 0b65737a95a802b673eb4701f613ec416807bcfd10e803f651e899918fb15a2b
                                                                              • Opcode Fuzzy Hash: 7496c189695d688fdff99332259dad1589d6eadf15039624863e1fafd028cd3d
                                                                              • Instruction Fuzzy Hash: 8401F7B1304305AFEB01EF65DC92E5A77ADDB497187118077F500EB2D0D63A9C11972A
                                                                              Function 0045127C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 004512BE
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004512E4), ref: 004512C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastMove
                                                                              • String ID:
                                                                              • API String ID: 55378915-0
                                                                              • Opcode ID: 326e839074a7fabb4a6fe387ff7347aa7085a5f6dae100b7999874b6cc7046d8
                                                                              • Instruction ID: 4b1b8153bfe220907ace0ac351b5803590bb163904822851c8eb884620ab5cc8
                                                                              • Opcode Fuzzy Hash: 326e839074a7fabb4a6fe387ff7347aa7085a5f6dae100b7999874b6cc7046d8
                                                                              • Instruction Fuzzy Hash: 9501FE71B042046F8B01DFB95C415AEB7FCDB88315B5045B7FC04F3652E6785D08455D
                                                                              Function 00450D6C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00450DCB), ref: 00450DA5
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00450DCB), ref: 00450DAD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: a8f3aab3da5e49bc1cc7ae1ed24efa0b6e0ae9f04d9ab1d7d32c9ae69be7706f
                                                                              • Instruction ID: 8d0fd8431dd01b07f2e057170897cb65e7043a318c548b557aaaf859c49bc1d1
                                                                              • Opcode Fuzzy Hash: a8f3aab3da5e49bc1cc7ae1ed24efa0b6e0ae9f04d9ab1d7d32c9ae69be7706f
                                                                              • Instruction Fuzzy Hash: 92F0C876A04608BFDB11EFF59C415AEB7F8DB09325B5049B7FC04E3282E6396E188598
                                                                              Function 004231D4 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 004231E1
                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 0042320B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CursorLoad
                                                                              • String ID:
                                                                              • API String ID: 3238433803-0
                                                                              • Opcode ID: 75bc9bdbe08c2d970092a5246113edb2c82e11a14534848da190b62e376ac7a0
                                                                              • Instruction ID: c216e742746fd48a7e71b88d4d8d1f08d0288b379413097872f84a35904d072c
                                                                              • Opcode Fuzzy Hash: 75bc9bdbe08c2d970092a5246113edb2c82e11a14534848da190b62e376ac7a0
                                                                              • Instruction Fuzzy Hash: 97F02711700250AAD6109E3E6CC1A2A76A8DB82735B72037BFA3AD32D1CA2E5C414179
                                                                              Function 0042E1D0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E1DA
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E224,?,00000000,0042E242,?,00008000), ref: 0042E209
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: c74b51fe89b54973e6d6af767e65af794be13bcce0c1b540c4036a39c29beee6
                                                                              • Instruction ID: f80bc88786ffee16906ee1cbc6f5a5dfb0de3d8b81ccbeda7050d0d84746be81
                                                                              • Opcode Fuzzy Hash: c74b51fe89b54973e6d6af767e65af794be13bcce0c1b540c4036a39c29beee6
                                                                              • Instruction Fuzzy Hash: 3BF08270714744BEDB019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939
                                                                              Function 0044FA90 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,00000080,00469D25,?,00000000), ref: 0044FAA6
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,00000080,00469D25,?,00000000), ref: 0044FAAE
                                                                                • Part of subcall function 0044F84C: GetLastError.KERNEL32(0044F668,0044F90E,?,00000000,?,0048EEF4,00000001,00000000,00000002,00000000,0048F028,?,?,00000005,00000000,0048F05C), ref: 0044F84F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 66d8d2571b6d9c9182f66046bc7c24ec16b6b3f9d7b5b3c91b7e7c906b8499e0
                                                                              • Instruction ID: dc2cc91d022b993bb9419ccf16811074cfb412fa6d4f5818e5344dbdd2536412
                                                                              • Opcode Fuzzy Hash: 66d8d2571b6d9c9182f66046bc7c24ec16b6b3f9d7b5b3c91b7e7c906b8499e0
                                                                              • Instruction Fuzzy Hash: 24E012B23142016BFB10EAB599C2F3B22DCDB44314F00457AB648DE287E674CC058B65
                                                                              Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: a63fe0f0864ed12356c05260577adb58acfda967faafabc8b78a16e1d04bad7e
                                                                              • Instruction ID: bf7b13eafa23b8191e4305e5e68b9b030f4cda3e75454a5d70f9da2571521f57
                                                                              • Opcode Fuzzy Hash: a63fe0f0864ed12356c05260577adb58acfda967faafabc8b78a16e1d04bad7e
                                                                              • Instruction Fuzzy Hash: 23F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9
                                                                              Function 004767D4 Relevance: 1.6, APIs: 1, Instructions: 125windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendNotifyMessageA.USER32(00020470,00000496,00002711,00000000), ref: 00476981
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageNotifySend
                                                                              • String ID:
                                                                              • API String ID: 3556456075-0
                                                                              • Opcode ID: 70efed1c4315a37954a4eada347154322bbb8374bb31cc1d7421cf403e77fac0
                                                                              • Instruction ID: ce85a3f25e29e8795c44f1ed81d72edd15c5c256e4fde433e3fba35f83edee42
                                                                              • Opcode Fuzzy Hash: 70efed1c4315a37954a4eada347154322bbb8374bb31cc1d7421cf403e77fac0
                                                                              • Instruction Fuzzy Hash: BC4184B4600000ABCB01FF66ED8254B3B9AAB50309755C577A508AF3B7CA7CDD068B9D
                                                                              Function 0040856C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004086A2), ref: 0040858B
                                                                                • Part of subcall function 00406D7C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D99
                                                                                • Part of subcall function 004084F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: ec077f70c423e742a57cde7fe61168d436679bb3f9a4331c259d2b71bff546c5
                                                                              • Instruction ID: f14e446589c7b2821558283ee76cbc32656574477ad454b613744791b3cb0744
                                                                              • Opcode Fuzzy Hash: ec077f70c423e742a57cde7fe61168d436679bb3f9a4331c259d2b71bff546c5
                                                                              • Instruction Fuzzy Hash: B0314F35E0010A9FCB00DB55C8819EEB779EF84314F51857BE815BB296E738AE018B98
                                                                              Function 0041FB34 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoScroll
                                                                              • String ID:
                                                                              • API String ID: 629608716-0
                                                                              • Opcode ID: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                                                              • Instruction ID: b99c7564aaa2165f0350f3b3a8cb5fa8abdd766088343814f3ecbe0bf240b0fd
                                                                              • Opcode Fuzzy Hash: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                                                              • Instruction Fuzzy Hash: 7B2142B16087456FC340DF39C4406A6BBE4BB48344F048A3EE498C3741D778E996CBD6
                                                                              Function 0046671C Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041EE3C: GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                                • Part of subcall function 0041EE3C: 73A25940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046677A,?,00000000,?,?,0046697F,?,00000000,004669BE), ref: 0046675E
                                                                                • Part of subcall function 0041EEF0: IsWindow.USER32(?), ref: 0041EEFE
                                                                                • Part of subcall function 0041EEF0: EnableWindow.USER32(?,00000001), ref: 0041EF0D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                                              • String ID:
                                                                              • API String ID: 390483697-0
                                                                              • Opcode ID: 83a08173aec7ac216bab6100ce2b7e9597a3104a8217ef6e8404317d0b0b416d
                                                                              • Instruction ID: 04c01a9ff29008d4721837e79f174a1df7be570425d0b7f966994dd3cdc76343
                                                                              • Opcode Fuzzy Hash: 83a08173aec7ac216bab6100ce2b7e9597a3104a8217ef6e8404317d0b0b416d
                                                                              • Instruction Fuzzy Hash: 11F02774208304BFE7059B72EC17B257BECE31871AF62447BF409C6590EA799C40CA1D
                                                                              Function 00440A24 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction ID: 50f4ac4be647669ab6f74869d4f7439b47092d0ed037b823dcc0415f1adf503d
                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction Fuzzy Hash: FAF06D30504209DBEF1CCF68D0619AF77B1EB68700B24846FE647A7390DA34AF20D658
                                                                              Function 004164E8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041651D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 37ab0cd48537a58929e3c8fcf0b95003e200bb7ebbb158e83a9db119e5dd7d08
                                                                              • Instruction ID: 7b826a0fe65a8fd7b5428e982f0fd04f84c52168a395b6215e34099a37556f80
                                                                              • Opcode Fuzzy Hash: 37ab0cd48537a58929e3c8fcf0b95003e200bb7ebbb158e83a9db119e5dd7d08
                                                                              • Instruction Fuzzy Hash: CFF025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF25AD225EC508BB0
                                                                              Function 0041494C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414987
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                              Function 0042CBA0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A,00000000,00451021,00000000,00451042,?,00000000), ref: 0042CBCB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesCharFilePrev
                                                                              • String ID:
                                                                              • API String ID: 4082512850-0
                                                                              • Opcode ID: 2b26956367c8f6e622811080fef34c0f03e214d0e70f38de719cb12a16bd4f0b
                                                                              • Instruction ID: 74b243856bc5622d6abb531dde7ce5b14d401d40d7487e0850c127eadd6c7fbb
                                                                              • Opcode Fuzzy Hash: 2b26956367c8f6e622811080fef34c0f03e214d0e70f38de719cb12a16bd4f0b
                                                                              • Instruction Fuzzy Hash: 56E06571304708BFD701EB66EC93E5EBBACDB45B14B914876F400D7541E579AE00C418
                                                                              Function 0044F95C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044F99C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 22c4a825166e9a110fa0cd7145a43304d6f70ecd84d601db30af9a86520ccae1
                                                                              • Instruction ID: bc5deea9494c1ef366a15eb1db6f809752da2ad0dcb78da92ab8c753fee697c5
                                                                              • Opcode Fuzzy Hash: 22c4a825166e9a110fa0cd7145a43304d6f70ecd84d601db30af9a86520ccae1
                                                                              • Instruction Fuzzy Hash: 03E012A53941483FE340EEAC6C42FA777DC9759754F008033B998D7242D5719D158BA8
                                                                              Function 0042E650 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 3d63e4b2211c5c4580dd321211c265d2c7427675a3424bd7ccfe827561558476
                                                                              • Instruction ID: d34465c294f68e8ea137c3ae429806dbcaeebb59bcd6a0203419814785322f26
                                                                              • Opcode Fuzzy Hash: 3d63e4b2211c5c4580dd321211c265d2c7427675a3424bd7ccfe827561558476
                                                                              • Instruction Fuzzy Hash: 11E0D8613843111AF22510666C4BB7A12098790704F9480263A10DE3D6D9AE990A029D
                                                                              Function 004062F0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,00423614,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 00406319
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 91f371f92b4458d2df6fdff22a0a0aebc7ca7ebc2921950a35465f01e5b4a3fd
                                                                              • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                              • Opcode Fuzzy Hash: 91f371f92b4458d2df6fdff22a0a0aebc7ca7ebc2921950a35465f01e5b4a3fd
                                                                              • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                              Function 0042DBFC Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC28
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 771921d5586258fcecee2eeabb95e92086465f64ffd46d687e1536bcf760dc82
                                                                              • Instruction ID: 3b99b25f9e5c03d05328e8fe2c64a6fa7055fc0d331177c1988bf00159f0e0ef
                                                                              • Opcode Fuzzy Hash: 771921d5586258fcecee2eeabb95e92086465f64ffd46d687e1536bcf760dc82
                                                                              • Instruction Fuzzy Hash: E7E07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4
                                                                              Function 004530B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindClose.KERNEL32(00000000,000000FF,0046A501,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000), ref: 004530C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFind
                                                                              • String ID:
                                                                              • API String ID: 1863332320-0
                                                                              • Opcode ID: 2c6ddf738556e338986e659285bcd6dfb00f351da6fb89af47a9dd122954ab10
                                                                              • Instruction ID: 7bf8de0c1ab9b25c79a4700b9c6461219ded52c1b8285e3da27c8b81d6763f8b
                                                                              • Opcode Fuzzy Hash: 2c6ddf738556e338986e659285bcd6dfb00f351da6fb89af47a9dd122954ab10
                                                                              • Instruction Fuzzy Hash: 82E09B706047008BCB14DF3A84C031677D55F85321F14C96AEC58CB3D7D63D84595627
                                                                              Function 00414614 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(0048C96E,?,0048C990,?,?,00000000,0048C96E,?,?), ref: 00414633
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                              Function 00406AD0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,00000000,?,0042C575,00000000,0042C592,?,?,00000000,?,00000000), ref: 00406AFD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CompareString
                                                                              • String ID:
                                                                              • API String ID: 1825529933-0
                                                                              • Opcode ID: df285a787a91df0510c1b9470b4c8139cfb679af50247b72370c3382fb6dd8d5
                                                                              • Instruction ID: f6665c11947ada4625099ec4a58cd3d7eb013588aad78fe549ce1534c5c33ddb
                                                                              • Opcode Fuzzy Hash: df285a787a91df0510c1b9470b4c8139cfb679af50247b72370c3382fb6dd8d5
                                                                              • Instruction Fuzzy Hash: DAD092D17416203BD250BA7E1C82F5B48CC8B1861FF00413AB208FB2D2C97C8F0512AE
                                                                              Function 00406EA0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406EB4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 92616a0c773315b94590898aa4a0ca2ce8d2617e301858a5bf41299c043ccb5c
                                                                              • Instruction ID: 98287354acb22086ad025a87a5fb6bfac30b4272d3533434fd3a97b42b2db627
                                                                              • Opcode Fuzzy Hash: 92616a0c773315b94590898aa4a0ca2ce8d2617e301858a5bf41299c043ccb5c
                                                                              • Instruction Fuzzy Hash: 31D05B763082507AD620D65BAC44DA76BDCCBC5771F11063EB558C71C1D6309C05C675
                                                                              Function 004235E4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00423590: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004235A5
                                                                              • ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                                • Part of subcall function 004235C0: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 3202724764-0
                                                                              • Opcode ID: ea5c51de61202d4cbe2ae5b45e3e6aecf36d28bcb10aa4749c74ef1363364b60
                                                                              • Instruction ID: a662ef4f7fcd77f552cbdab35d39622d28ddb6582f0ddf195742295e2ae327b8
                                                                              • Opcode Fuzzy Hash: ea5c51de61202d4cbe2ae5b45e3e6aecf36d28bcb10aa4749c74ef1363364b60
                                                                              • Instruction Fuzzy Hash: 2AD05E123412303142203ABB3846A8B46EC4E826AA388082BB4588B307F91DCB5110BC
                                                                              Function 0042425C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: TextWindow
                                                                              • String ID:
                                                                              • API String ID: 530164218-0
                                                                              • Opcode ID: 36b264f0e85ca0497b7533c4a2d884e72b17b15a39c48fd07fabef73c721ee64
                                                                              • Instruction ID: 663572d81262a5d08488ee3295b79aee4309efab1bd3e886e296d112243a7649
                                                                              • Opcode Fuzzy Hash: 36b264f0e85ca0497b7533c4a2d884e72b17b15a39c48fd07fabef73c721ee64
                                                                              • Instruction Fuzzy Hash: EDD05BE270112067DB01BAFD54C4AC567CC4B4C25671440F7F904EF257C638CD444358
                                                                              Function 0042CBF8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,004506CB,00000000), ref: 0042CC03
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: b82088c33142265142d744e40a3ebc9261dedbc0120b4c7c3ff31406e957a02f
                                                                              • Instruction ID: 4da38584ad50f151178bae3f15839ff320953b9c4e9bd814279b6e5613fcdaee
                                                                              • Opcode Fuzzy Hash: b82088c33142265142d744e40a3ebc9261dedbc0120b4c7c3ff31406e957a02f
                                                                              • Instruction Fuzzy Hash: 35C08CE13022001A9A1065BF2CC510F02C8891427A3A41F37F52EE33D2D27D88972018
                                                                              Function 004618C0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046252C,00000000,00000000,00000000,0000000C,00000000), ref: 004618D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                              Function 00406E50 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A85C,0040CE08,?,00000000,?), ref: 00406E6D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 7bbeac652bf9e26ddfb98cc5c061e88f67395af84d53f70b81aae82e01874d08
                                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                              • Opcode Fuzzy Hash: 7bbeac652bf9e26ddfb98cc5c061e88f67395af84d53f70b81aae82e01874d08
                                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                              Function 00407238 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0048EE82,00000000,0048F028,?,?,00000005,00000000,0048F05C,?,?,00000000), ref: 00407243
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory
                                                                              • String ID:
                                                                              • API String ID: 1611563598-0
                                                                              • Opcode ID: 3293b503d2b4bba4523f910328dc84df787013104046f63be089ad99c5d39bd1
                                                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                              • Opcode Fuzzy Hash: 3293b503d2b4bba4523f910328dc84df787013104046f63be089ad99c5d39bd1
                                                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                              Function 0044FAC4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                                • Part of subcall function 0044F84C: GetLastError.KERNEL32(0044F668,0044F90E,?,00000000,?,0048EEF4,00000001,00000000,00000002,00000000,0048F028,?,?,00000005,00000000,0048F05C), ref: 0044F84F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: f3253332dbee4df14b0fa8e56291b2723a02f29b840123db82c78c33d7d8b1a0
                                                                              • Instruction ID: e17404963d9210faf7bcd6b13e10806e7cc740a865de794c8846e8a802dfbf25
                                                                              • Opcode Fuzzy Hash: f3253332dbee4df14b0fa8e56291b2723a02f29b840123db82c78c33d7d8b1a0
                                                                              • Instruction Fuzzy Hash: A1C04C61300500479F40A6AE95C190763DC9E193443104176B508DF217E7A8D8084A14
                                                                              Function 0042E22B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,0042E249), ref: 0042E23C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: c0de3002351084fed35947dfb05fc57a340f91e1d3d115e6b2476f16dcfad9f3
                                                                              • Instruction ID: 2ee822bca7ba236112451c470c82c212b188af11444a75795fab687286b6ff04
                                                                              • Opcode Fuzzy Hash: c0de3002351084fed35947dfb05fc57a340f91e1d3d115e6b2476f16dcfad9f3
                                                                              • Instruction Fuzzy Hash: B9B09B7670C6009DB705D6D7745552D63D8E7C47203E145B7F001D2580D53C58004928
                                                                              Function 00416584 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a2d1db5538ea73db18434c02c596e0264b6757647316809c0a4cc46386525ad0
                                                                              • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                              • Opcode Fuzzy Hash: a2d1db5538ea73db18434c02c596e0264b6757647316809c0a4cc46386525ad0
                                                                              • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                              Function 00447D98 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2e11252c8f068e5f320711ec4437e236dee30acc7c9f989bb20503d622e83fae
                                                                              • Instruction ID: 20a0716fe555351ae53ec84aea0f5e33c65c2cb82e29988a222a4db77543fb3e
                                                                              • Opcode Fuzzy Hash: 2e11252c8f068e5f320711ec4437e236dee30acc7c9f989bb20503d622e83fae
                                                                              • Instruction Fuzzy Hash: 13519674E041099FEB00EFA5C482AAEBBF5EF49314F508176E500E7351C7389D46CB98
                                                                              Function 0045AFE0 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045B070
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 599c4b535e658b18ce22dfb26852a359f3d9c44e721798897f1f4c57bfe86861
                                                                              • Instruction ID: 197fa13a5db15f324c13d3003a06a4b5d4309829e3554a7131eac32aa72e2ed3
                                                                              • Opcode Fuzzy Hash: 599c4b535e658b18ce22dfb26852a359f3d9c44e721798897f1f4c57bfe86861
                                                                              • Instruction Fuzzy Hash: 0F1187712002049BDB00EF19C88175B3794EF8475AF05856EFD589B2C7DB78EC498BAA
                                                                              Function 0041F35C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED3C,?,00423827,00423BA4,0041ED3C), ref: 0041F37A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 829857cc50c614b9e4f58a30b7f57fd45941c254744d41e4bd2888d1a2500faf
                                                                              • Instruction ID: 8a2b48c0a32b80b38b78727057d1ce8dd7083e6c405f33ac42e4b13742b40a44
                                                                              • Opcode Fuzzy Hash: 829857cc50c614b9e4f58a30b7f57fd45941c254744d41e4bd2888d1a2500faf
                                                                              • Instruction Fuzzy Hash: 7D1148746403099BCB10DF19C880B86FBE4EF98350B14C53AE9A88B395D374E849CBA9
                                                                              Function 004515C0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00451629), ref: 0045160B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: d71cf34c5828d9ab60ceca327b57a691e20f5cf8e6f4fa27d2de5408e2dec814
                                                                              • Instruction ID: d98855298e7be5a9d3f0d35184012b30359fd13790d4aac9ca9123f51ad7e951
                                                                              • Opcode Fuzzy Hash: d71cf34c5828d9ab60ceca327b57a691e20f5cf8e6f4fa27d2de5408e2dec814
                                                                              • Instruction Fuzzy Hash: AB0120356042486F8B11DFA99C115EEFBFCDB8932075482B7FC68D3352D6345D0996A4
                                                                              Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: 6e91187b7332a9de29bf17c99eed288b4db39574d0e8835f7149b85b29ec7ccb
                                                                              • Instruction ID: ed9b70f4bfbb0542158bd2f105c25c4ab5b5cc705db22fdb5c1542855cbe69d3
                                                                              • Opcode Fuzzy Hash: 6e91187b7332a9de29bf17c99eed288b4db39574d0e8835f7149b85b29ec7ccb
                                                                              • Instruction Fuzzy Hash: D901FC766442148FC3109E29DCC0E2677E8D794378F15453EDA95673A1D37A6C0187D8
                                                                              Function 0045AF88 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,0045B066), ref: 0045AF9F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: 4fff5a565df2a14c4f13934edac0ba2ab1e2a907cd2c7c546594f35b7a1beb1f
                                                                              • Instruction ID: b2c012dc50c3b33fb63eb55dcfc4a1bd2d8c3457cbd87c502616eb3b37b5a2f2
                                                                              • Opcode Fuzzy Hash: 4fff5a565df2a14c4f13934edac0ba2ab1e2a907cd2c7c546594f35b7a1beb1f
                                                                              • Instruction Fuzzy Hash: 85D0E9B17557045FEF90EE798CC1B0637D8BB48701F5045766904DB286E674E8148A18
                                                                              Function 00406ED8 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 15fad48b423db95c67f8573259d9b999d60fad3f65fc35ec82f38a96773d5811
                                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                              • Opcode Fuzzy Hash: 15fad48b423db95c67f8573259d9b999d60fad3f65fc35ec82f38a96773d5811
                                                                              • Instruction Fuzzy Hash:

                                                                              Non-executed Functions

                                                                              Function 0044A9DC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044A988: GetVersionExA.KERNEL32(00000094), ref: 0044A9A5
                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044ECE9,0048FB45), ref: 0044AA03
                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AA1B
                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AA2D
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AA3F
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AA51
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA63
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA75
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AA87
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AA99
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AAAB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AABD
                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AACF
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AAE1
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AAF3
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AB05
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AB17
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AB29
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AB3B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044AB4D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044AB5F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044AB71
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044AB83
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044AB95
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044ABA7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044ABB9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044ABCB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044ABDD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044ABEF
                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044AC01
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044AC13
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044AC25
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044AC37
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044AC49
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044AC5B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044AC6D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044AC7F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044AC91
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044ACA3
                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044ACB5
                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044ACC7
                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044ACD9
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044ACEB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044ACFD
                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044AD0F
                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044AD21
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044AD33
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044AD45
                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044AD57
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                              • API String ID: 1968650500-2910565190
                                                                              • Opcode ID: 084753db628814d796f6e1744ff6ef675f0221a40e53642cc3db85f155f885ca
                                                                              • Instruction ID: c1c72b5d215d487091b309bcaa4aaadaea684569810ba268cdf215e5f5524652
                                                                              • Opcode Fuzzy Hash: 084753db628814d796f6e1744ff6ef675f0221a40e53642cc3db85f155f885ca
                                                                              • Instruction Fuzzy Hash: 3F91D7F0A80B51EBEF00EBF598C6A2636A8EB15B14714457BB414EF2A5D67C8814CF1E
                                                                              Function 00456538 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 0045659F
                                                                              • QueryPerformanceCounter.KERNEL32(02113858,00000000,00456832,?,?,02113858,00000000,?,00456F2E,?,02113858,00000000), ref: 004565A8
                                                                              • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 004565B2
                                                                              • GetCurrentProcessId.KERNEL32(?,02113858,00000000,00456832,?,?,02113858,00000000,?,00456F2E,?,02113858,00000000), ref: 004565BB
                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456631
                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 0045663F
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00490A80,00000003,00000000,00000000,00000000,004567EE), ref: 00456687
                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004567DD,?,00000000,C0000000,00000000,00490A80,00000003,00000000,00000000,00000000,004567EE), ref: 004566C0
                                                                                • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456769
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045679F
                                                                              • CloseHandle.KERNEL32(000000FF,004567E4,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004567D7
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$h$helper %d 0x%x
                                                                              • API String ID: 770386003-3739555822
                                                                              • Opcode ID: 6e4651e0049ff0662e734541730ef5df36c808c886455675b05c3a93692a2f1b
                                                                              • Instruction ID: eb727a0c2a66d2e753eb8e5ee9f6a175ca6c37c62ae894730643be17e5060682
                                                                              • Opcode Fuzzy Hash: 6e4651e0049ff0662e734541730ef5df36c808c886455675b05c3a93692a2f1b
                                                                              • Instruction Fuzzy Hash: 977146B0900348AEDB10DF65CC45B9EBBF8EB09305F5185BAF904EB292D7789944CF69
                                                                              Function 0042DE9C Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DED6
                                                                              • GetVersion.KERNEL32(00000000,0042E080,?,00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF3
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E080,?,00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF0C
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF12
                                                                              • FreeSid.ADVAPI32(00000000,0042E087,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E07A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                              • API String ID: 1717332306-1888249752
                                                                              • Opcode ID: c119322378d3e059ccaff1cd9edb99b5266ab2f2a1737f3946cf2f6fb6988120
                                                                              • Instruction ID: aab75c2d3d4471c1c2eeed79e6c2560655bdf87990a10d1ca6ffa6bcff95bbc8
                                                                              • Opcode Fuzzy Hash: c119322378d3e059ccaff1cd9edb99b5266ab2f2a1737f3946cf2f6fb6988120
                                                                              • Instruction Fuzzy Hash: 6851C471B04625AEDB10EAE69C42FBF77ACEB08704F94047BB500F7282C5BCD906866D
                                                                              Function 0047138C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004713DF
                                                                              • GetLastError.KERNEL32(-00000010,?), ref: 004713E8
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00471435
                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00471459
                                                                              • CloseHandle.KERNEL32(00000000,0047148A,00000000,00000000,000000FF,000000FF,00000000,00471483,?,-00000010,?), ref: 0047147D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                              • API String ID: 171997614-221126205
                                                                              • Opcode ID: fa73161be6b6090d123151f3305e67f557baf9ad665618376936e9eb16b8b0d2
                                                                              • Instruction ID: f321ecab20c0453dbb4e96fa9d5d064587d1392c5a69a60889680490007c30e8
                                                                              • Opcode Fuzzy Hash: fa73161be6b6090d123151f3305e67f557baf9ad665618376936e9eb16b8b0d2
                                                                              • Instruction Fuzzy Hash: 94218670A00204AADB10EBED9842BDE76A8EB04318F50853BF508E72A2DB7C8D458B5D
                                                                              Function 004227F4 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 0042298C
                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B56), ref: 0042299C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1631623395-0
                                                                              • Opcode ID: af69bf56686823918ec6bec0a9a48de28d4fe3b3c96ddddc7fc059f4f302e593
                                                                              • Instruction ID: 66e5415131971ea9188ed11aea93af7775a9f98163e3ab9f7913674309157a5d
                                                                              • Opcode Fuzzy Hash: af69bf56686823918ec6bec0a9a48de28d4fe3b3c96ddddc7fc059f4f302e593
                                                                              • Instruction Fuzzy Hash: 87918371B04214FFD711EFA9DA86F9D77F4AB05304F5501BAF900AB2A2C678AE409B58
                                                                              Function 0041831C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 0041832B
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00418348
                                                                              • GetWindowRect.USER32(?), ref: 00418364
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00418372
                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 00418387
                                                                              • ScreenToClient.USER32(00000000), ref: 00418390
                                                                              • ScreenToClient.USER32(00000000,?), ref: 0041839B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                              • String ID: ,
                                                                              • API String ID: 2266315723-3772416878
                                                                              • Opcode ID: a02eea24357b971735d230bb7d4779386c915b93d77952ab766c1b8df95673e1
                                                                              • Instruction ID: 2175d660801d36dc516acc566ebbdc6a0a275ff9a36a5191d9c768dd5587bda6
                                                                              • Opcode Fuzzy Hash: a02eea24357b971735d230bb7d4779386c915b93d77952ab766c1b8df95673e1
                                                                              • Instruction Fuzzy Hash: 8B111971505201AFDB00DF69C885F9B77E8AF48714F180A7EBD58DB286C738D900CB69
                                                                              Function 00453978 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00453987
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0045398D
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004539A6
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004539CD
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004539D2
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004539E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: fb9c40edafde0e39396708c3223b131742c2333adf1544f7cf093ab60178b3bd
                                                                              • Instruction ID: ba95de1f919fb86d956bbfc46965498e3b7b47745acb77794947dc971716d99e
                                                                              • Opcode Fuzzy Hash: fb9c40edafde0e39396708c3223b131742c2333adf1544f7cf093ab60178b3bd
                                                                              • Instruction Fuzzy Hash: DBF068F1694302B9E610AE718C07F6B2188974478AF50092BBD45EA1C3D7FDDA0C4A7E
                                                                              Function 0045A4FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045A505
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045A515
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045A525
                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,00477E2F,00000000,00477E58), ref: 0045A54A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CryptVersion
                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                              • API String ID: 1951258720-508647305
                                                                              • Opcode ID: dc227989441d83936e649666439b3cc639ab8d756e21d5d58c0105270db5c94c
                                                                              • Instruction ID: c721a2fd2455037b3106a82495dc64aa217f0e45604615640396be52aa14e824
                                                                              • Opcode Fuzzy Hash: dc227989441d83936e649666439b3cc639ab8d756e21d5d58c0105270db5c94c
                                                                              • Instruction Fuzzy Hash: 46F030F0501709EADB05DF76AC85B6236E5D7AC316F18C93BA404951BAE77C045CCE0D
                                                                              Function 00454624 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00490A3C,00000000,00000001,00490774,?,00000000,0045481A), ref: 00454660
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • CoCreateInstance.OLE32(00490764,00000000,00000001,00490774,?,00000000,0045481A), ref: 00454684
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 004547DF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstanceString$AllocByteCharFreeMultiWide
                                                                              • String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
                                                                              • API String ID: 2125489766-615220198
                                                                              • Opcode ID: 1ff2274b41b5fff1f05c262f12fd10495a65f751bb0ac0f6b43a2977615f8d09
                                                                              • Instruction ID: ffd62f61cc6991af28f12abceade669c84836543173017e35bfd2355551696ac
                                                                              • Opcode Fuzzy Hash: 1ff2274b41b5fff1f05c262f12fd10495a65f751bb0ac0f6b43a2977615f8d09
                                                                              • Instruction Fuzzy Hash: 68511E75A00204AFDB50EFA9C885F9E77F8AF4970AF144066B904EB252D778DD88CB19
                                                                              Function 0048F0A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000,0048F3BC,?,?,00000000,00491628), ref: 0048F0F7
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0048F17A
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0048F1B6,?,00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000), ref: 0048F192
                                                                              • FindClose.KERNEL32(000000FF,0048F1BD,0048F1B6,?,00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000,0048F3BC), ref: 0048F1B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                              • String ID: isRS-$isRS-???.tmp
                                                                              • API String ID: 134685335-3422211394
                                                                              • Opcode ID: e6b155d1fc5a6fed76f3ff436aabfe78a099c9d3dd152136b718bcc6898442c5
                                                                              • Instruction ID: 0995a0b52c99030cdacd69922d83117e593e9f56f2330464dc8cd1f01f413916
                                                                              • Opcode Fuzzy Hash: e6b155d1fc5a6fed76f3ff436aabfe78a099c9d3dd152136b718bcc6898442c5
                                                                              • Instruction Fuzzy Hash: F6317471900608ABDB10FF65CC85ACEB7BCDB49304F5088F7A808A32A1D7389E458F58
                                                                              Function 004760AC Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000,?,004764B6,00000000,00000000), ref: 0047610D
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047621D,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000), ref: 004761F9
                                                                              • FindClose.KERNEL32(000000FF,00476224,0047621D,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000), ref: 00476217
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000,?,004764B6,00000000), ref: 00476270
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$First$CloseNext
                                                                              • String ID:
                                                                              • API String ID: 2001080981-0
                                                                              • Opcode ID: c2a30befad65cb5fce50af56d2711088d7b647a5dbfa7200fec2fd63f1518930
                                                                              • Instruction ID: 8c9fb22c455a10fb5a36ca721a14443a04b07c4b30e1df5645117e00204b3789
                                                                              • Opcode Fuzzy Hash: c2a30befad65cb5fce50af56d2711088d7b647a5dbfa7200fec2fd63f1518930
                                                                              • Instruction Fuzzy Hash: A771307090064DAFCF11EFA5CC45ADFBBB9EF49304F5180AAE808A7291D7399A45CF58
                                                                              Function 00455074 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235windownativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004550F1
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455118
                                                                              • SetForegroundWindow.USER32(?), ref: 00455129
                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004553F4,?,00000000,00455430), ref: 004553DF
                                                                              Strings
                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00455269
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                              • API String ID: 2236967946-3182603685
                                                                              • Opcode ID: 4b7d33720b6eb7d067316519216896749b14cf25987947e9aa13bbe8f6ed6c13
                                                                              • Instruction ID: 55a69997a3f8f3e0e0b4dd554ff312d23ac1d546746a95e528c0755331bb9322
                                                                              • Opcode Fuzzy Hash: 4b7d33720b6eb7d067316519216896749b14cf25987947e9aa13bbe8f6ed6c13
                                                                              • Instruction Fuzzy Hash: AA919C34604A04EFD711CF55C965F6ABBE5EB89705F2180BAED04977A2C778AE04CA18
                                                                              Function 004541A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004542D4), ref: 004541D0
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004541D6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                              • API String ID: 1646373207-3712701948
                                                                              • Opcode ID: 6921d75a8c7e89856c53c54ce05328723cd5f2d2d5c9adca72d6fda43c64f4e5
                                                                              • Instruction ID: 2d0bad47dcdbd0afe089202d066c8c13d69d372c820e44c9644451e9ab65bfc2
                                                                              • Opcode Fuzzy Hash: 6921d75a8c7e89856c53c54ce05328723cd5f2d2d5c9adca72d6fda43c64f4e5
                                                                              • Instruction Fuzzy Hash: DA315371A04259AFCF01DBE5D8829EEB7B8EF49304F5045A7F800F7692D63C5D498B68
                                                                              Function 00417C68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417CA7
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CC5
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417CFB
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D22
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID: ,
                                                                              • API String ID: 568898626-3772416878
                                                                              • Opcode ID: c408806607909347ca89147f10def93184e476397b749817e92896a8f77c2243
                                                                              • Instruction ID: 09dd2f6c86a6dd294e7079b4912c6a74c3ea6d73e0aaba55afa268ad374e44ee
                                                                              • Opcode Fuzzy Hash: c408806607909347ca89147f10def93184e476397b749817e92896a8f77c2243
                                                                              • Instruction Fuzzy Hash: F1213E71600208ABDF50EF69D8C0ADA77B8AF48314F15456AFE18DF346D778E844CBA8
                                                                              Function 0045EB08 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0045ECC5), ref: 0045EB39
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EBC8
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045EC7A,?,00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EC5A
                                                                              • FindClose.KERNEL32(000000FF,0045EC81,0045EC7A,?,00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EC74
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: dc5338f80e1f029b4f8e8b91e557324ea873113412f12b2013edcdecd03d94c3
                                                                              • Instruction ID: 3a4d7cb4941e96cfdd303e4f0826b6c285f1ddbae1b5db0b7c96a3fe66f8f59e
                                                                              • Opcode Fuzzy Hash: dc5338f80e1f029b4f8e8b91e557324ea873113412f12b2013edcdecd03d94c3
                                                                              • Instruction Fuzzy Hash: A941A770A046189FDB15EF66CC45ADEB7B8EB48306F4044BAF804E7342D63C9F488E58
                                                                              Function 0045EF84 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0045F16B), ref: 0045EFF9
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F03F
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045F118,?,00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F0F4
                                                                              • FindClose.KERNEL32(000000FF,0045F11F,0045F118,?,00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F112
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: 541b62a81bf70b795dd067537b0e07b89d97958f03cda714e22a6959c94b31e8
                                                                              • Instruction ID: 640d99d9abe4894cefdbd3fd6d16d781720cdc17d517c820ae452588c85b6f1a
                                                                              • Opcode Fuzzy Hash: 541b62a81bf70b795dd067537b0e07b89d97958f03cda714e22a6959c94b31e8
                                                                              • Instruction Fuzzy Hash: 4A415531A00A18DBCB10EF65DC859DEB7B9EB88316F4044BAF804E7342D6389E488E59
                                                                              Function 0042E6BC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E6DE
                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E709
                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E716
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E71E
                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E724
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 1177325624-0
                                                                              • Opcode ID: 61c0b65f11590cc0ec78ea52688af32a25736f0531a16fe2034826f1a78c5c91
                                                                              • Instruction ID: cfcd0b13f67bde27cb287f5cb841aeaa4b6519b2e9d9e2871a7c89d990822bf0
                                                                              • Opcode Fuzzy Hash: 61c0b65f11590cc0ec78ea52688af32a25736f0531a16fe2034826f1a78c5c91
                                                                              • Instruction Fuzzy Hash: 7BF06D713917207AF620B17A6C86F7B418CC789B68F10863ABB14FF1C1D9A85D0555AD
                                                                              Function 0047B83C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 0047B87A
                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 0047B898
                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00491F50,0047B0C6,0047B0FA,00000000,0047B11A,?,?,00000001,00491F50), ref: 0047B8BA
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00491F50,0047B0C6,0047B0FA,00000000,0047B11A,?,?,00000001,00491F50), ref: 0047B8CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$IconicLong
                                                                              • String ID:
                                                                              • API String ID: 2754861897-0
                                                                              • Opcode ID: cfd0831661ad663eb917c2d02f63290d2463dede9815b3911d9f7cd8ec235724
                                                                              • Instruction ID: baa5e676ec9c0d2e7e64be375973edd3553068a70d3116c84d2eaa9e006cecd4
                                                                              • Opcode Fuzzy Hash: cfd0831661ad663eb917c2d02f63290d2463dede9815b3911d9f7cd8ec235724
                                                                              • Instruction Fuzzy Hash: BE015E71A142056BD700B7B5DC45BAB339CAB15384F0A457BF8499B2AACB7DC880878D
                                                                              Function 0045D584 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045D658), ref: 0045D5DC
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045D638,?,00000000,?,00000000,0045D658), ref: 0045D618
                                                                              • FindClose.KERNEL32(000000FF,0045D63F,0045D638,?,00000000,?,00000000,0045D658), ref: 0045D632
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: 33ee04b2700281fe0b41767445ae053f4dc073427bb892a62614f5783a70e92d
                                                                              • Instruction ID: 0ce5ae1f025114c6719b1c3c65257df9a0366b5f2e6328d66f20572a18fa54c0
                                                                              • Opcode Fuzzy Hash: 33ee04b2700281fe0b41767445ae053f4dc073427bb892a62614f5783a70e92d
                                                                              • Instruction Fuzzy Hash: F321C9719046086ECB21DF658C41ACEBBACDF49305F5044B7AC08D3552D6389A498E19
                                                                              Function 00424174 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 0042417C
                                                                              • SetActiveWindow.USER32(?,?,?,00466F57), ref: 00424189
                                                                                • Part of subcall function 004235E4: ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                                • Part of subcall function 00423AAC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,004241A2,?,?,?,00466F57), ref: 00423AE7
                                                                              • SetFocus.USER32(00000000,?,?,?,00466F57), ref: 004241B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                              • String ID:
                                                                              • API String ID: 649377781-0
                                                                              • Opcode ID: 4848593e48c9536867d80b2cbd12ec124348ae37830da1729c68c7c691c271f4
                                                                              • Instruction ID: 8d446daf7b35e5ea29ffeb076200aa1129eece2f63f635de5a25b7de358d0631
                                                                              • Opcode Fuzzy Hash: 4848593e48c9536867d80b2cbd12ec124348ae37830da1729c68c7c691c271f4
                                                                              • Instruction Fuzzy Hash: F7F0D0B170011097DB00AFA9D885A9633A4AF48305B55417BBD05DF35BC67CDC518768
                                                                              Function 0045A5B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,|~F,?,?,00467E7C,00000000), ref: 0045A5BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID: |~F
                                                                              • API String ID: 2153018856-2359949563
                                                                              • Opcode ID: 92a169d92116aada996d5d9458f81dc8d29c8eefca20c406bde358f83e7ba105
                                                                              • Instruction ID: 9692f02617442a2a376df0b4e6aabf7b2afe947750d0341fdcc82445fa3c8269
                                                                              • Opcode Fuzzy Hash: 92a169d92116aada996d5d9458f81dc8d29c8eefca20c406bde358f83e7ba105
                                                                              • Instruction Fuzzy Hash: 5BC09BF600420C7F65005795ECC9C77F75CE65C7647408526F604421119771AC104574
                                                                              Function 00417C66 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417CA7
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CC5
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417CFB
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D22
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID:
                                                                              • API String ID: 568898626-0
                                                                              • Opcode ID: 69517a820a0449f535e3fa6ce91cf103914ff1e4dee6cbc5125b1950d8bbeb53
                                                                              • Instruction ID: 11b7e4335ee3226caab8470cf3c5b054e8fbabdd68a735f62f1a536aeba2eeda
                                                                              • Opcode Fuzzy Hash: 69517a820a0449f535e3fa6ce91cf103914ff1e4dee6cbc5125b1950d8bbeb53
                                                                              • Instruction Fuzzy Hash: 0D01713130410867DB20EE69DCC1EE777A8AB54324F154566FE18CF242D634DC8087A8
                                                                              Function 00417530 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureIconic
                                                                              • String ID:
                                                                              • API String ID: 2277910766-0
                                                                              • Opcode ID: 05d574ab02b87442be763abf1989c0deaf975667ca85f0561d4b8beadaa0a679
                                                                              • Instruction ID: 3a8b8731f2edab5627af23f704938489c4dd11ab886107c36bcf2cff3c26aea9
                                                                              • Opcode Fuzzy Hash: 05d574ab02b87442be763abf1989c0deaf975667ca85f0561d4b8beadaa0a679
                                                                              • Instruction Fuzzy Hash: 05F0317170460167D720972AC885BAF67F69F88358B24483BE819CBB66EB78DCC5C258
                                                                              Function 0042412C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00424133
                                                                                • Part of subcall function 00423A1C: EnumWindows.USER32(004239B4), ref: 00423A40
                                                                                • Part of subcall function 00423A1C: GetWindow.USER32(?,00000003), ref: 00423A55
                                                                                • Part of subcall function 00423A1C: GetWindowLongA.USER32(?,000000EC), ref: 00423A64
                                                                                • Part of subcall function 00423A1C: SetWindowPos.USER32(00000000,004240F4,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424143,?,?,00423D0B), ref: 00423A9A
                                                                              • SetActiveWindow.USER32(?,?,?,00423D0B,00000000,004240F4), ref: 00424147
                                                                                • Part of subcall function 004235E4: ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                              • String ID:
                                                                              • API String ID: 2671590913-0
                                                                              • Opcode ID: 9d30028009ad4628a8d0e3aae638df8d6c1a37638e51480dd0e93e30da34da79
                                                                              • Instruction ID: dcadf6d4c305d047648006eb2a28155750554a200776102dc19c63a76c85b6db
                                                                              • Opcode Fuzzy Hash: 9d30028009ad4628a8d0e3aae638df8d6c1a37638e51480dd0e93e30da34da79
                                                                              • Instruction Fuzzy Hash: BAE01AA030010087DB00AF69DCC8BA672A4BF48304F5501BABD4CCF25BD73DCC508728
                                                                              Function 00412570 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0041276D), ref: 0041275B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: a5791c81ae37d8b5f1290d8fb0e90dd447bc881189c2c774a095a33dc1ebcefd
                                                                              • Instruction ID: a8ddcdea9be836396915a3f7c0de0854b88ba77919e1187662e8d19f2bd72504
                                                                              • Opcode Fuzzy Hash: a5791c81ae37d8b5f1290d8fb0e90dd447bc881189c2c774a095a33dc1ebcefd
                                                                              • Instruction Fuzzy Hash: 52510431608646CFD714DB6AD681A9BF3E5FF94314B24827BD814C33A1DAB8ED91CB08
                                                                              Function 004718F0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00471A3E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: c76eea88bd8d0a7d60ffcd26e22655cbfd5c436395c4190c1cca566d77c737cb
                                                                              • Instruction ID: 029bc5b5541294e4e1144cafc668f1a80fadc228f1d49c9345c84ce6279c24df
                                                                              • Opcode Fuzzy Hash: c76eea88bd8d0a7d60ffcd26e22655cbfd5c436395c4190c1cca566d77c737cb
                                                                              • Instruction Fuzzy Hash: 5C4138B5604104EFCB10CF9DD6908AAB7F9EB48310B24C596E94CDB725D338EE42DB94
                                                                              Function 0045A5C8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,00467BDA), ref: 0045A5CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: 7567f3976229c45b6434f01aabe130da5a209489209cb06c09f49983fc845cf4
                                                                              • Instruction ID: 527f91f744bbf07d4cbd4d34731dd7f836b123af709a081cc5745f589b9e42a5
                                                                              • Opcode Fuzzy Hash: 7567f3976229c45b6434f01aabe130da5a209489209cb06c09f49983fc845cf4
                                                                              • Instruction Fuzzy Hash: BFA002B4A803057AFD2057705D0EF36252C97D4F01F208865B211A91E887A46400852C
                                                                              Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2946068523.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.2946046118.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2946086474.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                              Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2946068523.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.2946046118.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2946086474.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 00455E1C Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 237filesynchronizationprocessCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateMutexA.KERNEL32(00490A74,00000001,00000000,00000000,00456151,?,?,?,00000001,?,0045636B,00000000,00456381,?,00000000,00491628), ref: 00455E69
                                                                              • CreateFileMappingA.KERNEL32(000000FF,00490A74,00000004,00000000,00002018,00000000), ref: 00455EA1
                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,00456127,?,00490A74,00000001,00000000,00000000,00456151,?,?,?), ref: 00455EC8
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00455FD5
                                                                              • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,00456127,?,00490A74,00000001,00000000,00000000,00456151), ref: 00455F2D
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00455FEC
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456025
                                                                              • GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456037
                                                                              • UnmapViewOfFile.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456109
                                                                              • CloseHandle.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456118
                                                                              • CloseHandle.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456121
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                              • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$kcE
                                                                              • API String ID: 4012871263-3188938376
                                                                              • Opcode ID: a5720f22c16d908e3ec8c4e1d57512098e758ccac26df47d2de229fce525af2a
                                                                              • Instruction ID: b7f9d8417b4f58181c1f599a9bc7e162deeb1a38a1606bc22e72a62ab4d83832
                                                                              • Opcode Fuzzy Hash: a5720f22c16d908e3ec8c4e1d57512098e758ccac26df47d2de229fce525af2a
                                                                              • Instruction Fuzzy Hash: 96918270E002199FDB10EBA9C841BAEB7B4EB08305F51856BF814EB393D7789948CF59
                                                                              Function 0041F0B0 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,00418F88,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                              • SetErrorMode.KERNEL32(00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0DA
                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0E6
                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0F4
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F124
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F14D
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F162
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F177
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F18C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1A1
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1B6
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1CB
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1E0
                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1F5
                                                                              • FreeLibrary.KERNEL32(00000001,?,00418F88,00000000,?,?,?,00000001), ref: 0041F207
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                              • API String ID: 2323315520-3614243559
                                                                              • Opcode ID: 7f32d69dd917b873b538dcabe640766f1285c8d94d518e442152a31ca124f4c3
                                                                              • Instruction ID: 7d0f0b1f9e98edf1a9ddda289dbf8071659bc8ae740419ad4f90ac4d37035942
                                                                              • Opcode Fuzzy Hash: 7f32d69dd917b873b538dcabe640766f1285c8d94d518e442152a31ca124f4c3
                                                                              • Instruction Fuzzy Hash: 92313EB5A40740EFDF10EBF1AC86A653694B728724B45193BB018DB1A2E77D484ACF1C
                                                                              Function 0041C9A4 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,0041A8DC,?), ref: 0041C9D8
                                                                              • 73A24C40.GDI32(?,00000000,?,0041A8DC,?), ref: 0041C9E4
                                                                              • 73A26180.GDI32(0041A8DC,?,00000001,00000001,00000000,00000000,0041CBFA,?,?,00000000,?,0041A8DC,?), ref: 0041CA08
                                                                              • 73A24C00.GDI32(?,0041A8DC,?,00000000,0041CBFA,?,?,00000000,?,0041A8DC,?), ref: 0041CA18
                                                                              • SelectObject.GDI32(0041CDD4,00000000), ref: 0041CA33
                                                                              • FillRect.USER32(0041CDD4,?,?), ref: 0041CA6E
                                                                              • SetTextColor.GDI32(0041CDD4,00000000), ref: 0041CA83
                                                                              • SetBkColor.GDI32(0041CDD4,00000000), ref: 0041CA9A
                                                                              • PatBlt.GDI32(0041CDD4,00000000,00000000,0041A8DC,?,00FF0062), ref: 0041CAB0
                                                                              • 73A24C40.GDI32(?,00000000,0041CBB3,?,0041CDD4,00000000,?,0041A8DC,?,00000000,0041CBFA,?,?,00000000,?,0041A8DC), ref: 0041CAC3
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CAF4
                                                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3,?,0041CDD4,00000000,?,0041A8DC), ref: 0041CB0C
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3,?,0041CDD4,00000000,?), ref: 0041CB15
                                                                              • 73A18830.GDI32(0041CDD4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3), ref: 0041CB24
                                                                              • 73A122A0.GDI32(0041CDD4,0041CDD4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3), ref: 0041CB2D
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CB46
                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CB5D
                                                                              • 73A24D40.GDI32(0041CDD4,00000000,00000000,0041A8DC,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CBA2,?,?,00000000), ref: 0041CB79
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CB86
                                                                              • DeleteDC.GDI32(00000000), ref: 0041CB9C
                                                                                • Part of subcall function 00419FF0: GetSysColor.USER32(?), ref: 00419FFA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                                              • String ID:
                                                                              • API String ID: 1381628555-0
                                                                              • Opcode ID: d40a97faddc7b993abc919c2ebc3dd6a9d9f07d849d610cba1b11841826118dd
                                                                              • Instruction ID: 9a9a9a3989e6a6ab41d325b43f14cf70747c0909c72bd90b67e4700795e11c83
                                                                              • Opcode Fuzzy Hash: d40a97faddc7b993abc919c2ebc3dd6a9d9f07d849d610cba1b11841826118dd
                                                                              • Instruction Fuzzy Hash: A0611D71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504F7281C67CA9418B68
                                                                              Function 0048F3CC Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 248synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000,?,0048FA95,00000000,0048FA9F,?,00000000), ref: 0048F44F
                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000,?,0048FA95,00000000), ref: 0048F462
                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000), ref: 0048F472
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0048F493
                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000), ref: 0048F4A3
                                                                                • Part of subcall function 0042D320: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3AE,?,?,00000000,?,?,0048EE8C,00000000,0048F028,?,?,00000005), ref: 0042D355
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                              • API String ID: 2000705611-3672972446
                                                                              • Opcode ID: 39a111b07db34b5175f652819bd8f84d2d5bebaf96c4bf3d03785a6843c72432
                                                                              • Instruction ID: 468110d2e5aeda5219102b72ac5d9567bb0ae356309b4361f59a0122e7866ca5
                                                                              • Opcode Fuzzy Hash: 39a111b07db34b5175f652819bd8f84d2d5bebaf96c4bf3d03785a6843c72432
                                                                              • Instruction Fuzzy Hash: EB81C830A04244AFEB11FFA5D856BAF77A4EB49304F914877F400AB391D67D9C0ACB59
                                                                              Function 00459F68 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172libraryloadermemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 00459F82
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00459FA2
                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoA), ref: 00459FAF
                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoA), ref: 00459FBC
                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 00459FCA
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A19E), ref: 0045A069
                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A19E), ref: 0045A072
                                                                              • LocalFree.KERNEL32(?,0045A14C), ref: 0045A13F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
                                                                              • String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$W$advapi32.dll
                                                                              • API String ID: 4088882585-3389539026
                                                                              • Opcode ID: 40e20d996d154c7513127dc85f1ac4c3553213370ce6e3c638a8d12d669914d2
                                                                              • Instruction ID: af1122037a66e019b3113c55f9ba6096c98a7e40202b91a649e670660f0a226b
                                                                              • Opcode Fuzzy Hash: 40e20d996d154c7513127dc85f1ac4c3553213370ce6e3c638a8d12d669914d2
                                                                              • Instruction Fuzzy Hash: 2551A4B1900608EFDB10DF99C845BAEB7F8EB48315F20816AF904F7281C6799D44CF69
                                                                              Function 00457E38 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,004580D2,?,?,?,?,?,00000005,?,00000000,0048E932,?,00000000,0048E9CD), ref: 00457F84
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                              • API String ID: 1452528299-1593206319
                                                                              • Opcode ID: cd0a6aaac7450f162ec7ff96070dff22de42fbe93b92331851df833a165ee4a0
                                                                              • Instruction ID: 45e7beb611f94a6fc0cb308bcce4372837f3afd3a78530d29a4e55fbb22beab3
                                                                              • Opcode Fuzzy Hash: cd0a6aaac7450f162ec7ff96070dff22de42fbe93b92331851df833a165ee4a0
                                                                              • Instruction Fuzzy Hash: AF61AF307046449BDB00EB6998827AE7BA59F48715F51846FFC01EB383CF7C9A49C799
                                                                              Function 0041B344 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B35B
                                                                              • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B365
                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B377
                                                                              • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B38E
                                                                              • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39A
                                                                              • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B3F3,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C7
                                                                              • 73A1A480.USER32(00000000,00000000,0041B3FA,00000000,0041B3F3,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3ED
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B408
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B417
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B443
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B451
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B45F
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B468
                                                                              • DeleteDC.GDI32(?), ref: 0041B471
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                                              • String ID:
                                                                              • API String ID: 359944910-0
                                                                              • Opcode ID: b3ce41903ddd2cdbb4a4fbae55eff1dfdf8ec99947ec8254b5571ea20fbca025
                                                                              • Instruction ID: 6bb5b4be79febef773d70843bd669dc511a3072a5871217d6b93a7ca38d26bba
                                                                              • Opcode Fuzzy Hash: b3ce41903ddd2cdbb4a4fbae55eff1dfdf8ec99947ec8254b5571ea20fbca025
                                                                              • Instruction Fuzzy Hash: 6341BF71E40609AFDF10DAE9D845FEFB7B8EB08704F104466F614FB281C77869408BA5
                                                                              Function 0046C458 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046C5EB
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046C6DE
                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046C6F4
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046C719
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                              • API String ID: 971782779-3668018701
                                                                              • Opcode ID: a46a7803b60f0676747b212d5b48bccf264f66f852694784030f79ee7f4777f0
                                                                              • Instruction ID: c5d64125943c116330f26ea2af306301a80754ec3866ea2c0047d38e0dd2641f
                                                                              • Opcode Fuzzy Hash: a46a7803b60f0676747b212d5b48bccf264f66f852694784030f79ee7f4777f0
                                                                              • Instruction Fuzzy Hash: DAD12074A00249AFDB01EF99D881BEDBBF5AF08314F14502BF840B7392D678AD45CB69
                                                                              Function 00452D2C Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,?,00000000,?,00000000,00452FC5,?,0045829A,00000003,00000000,00000000,00452FFC), ref: 00452E45
                                                                                • Part of subcall function 0042E650: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                              • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,00000000,?,00000004,00000000,00452F0F,?,0045829A,00000000,00000000,?,00000000,?,00000000), ref: 00452EC9
                                                                              • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,00000000,?,00000004,00000000,00452F0F,?,0045829A,00000000,00000000,?,00000000,?,00000000), ref: 00452EF8
                                                                              Strings
                                                                              • RegOpenKeyEx, xrefs: 00452DC8
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452D9C
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452D63
                                                                              • , xrefs: 00452DB6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2812809588-1577016196
                                                                              • Opcode ID: 164f167b994ac05a2ab45126a4686da91eefd5f344db9a1027db2db68b31891c
                                                                              • Instruction ID: b6e0c9aa2a7324dc16ce0eb777ef5f1f64662bbe41087482d690b0cee0de57e9
                                                                              • Opcode Fuzzy Hash: 164f167b994ac05a2ab45126a4686da91eefd5f344db9a1027db2db68b31891c
                                                                              • Instruction Fuzzy Hash: B8913371904208ABDB10DFA5D942BDEB7F8EB49305F10407BF901F7282D7B89E099B69
                                                                              Function 004569B4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(?), ref: 004569EB
                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456A07
                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456A15
                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00456A26
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A6D
                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A89
                                                                              Strings
                                                                              • Helper process exited., xrefs: 00456A35
                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00456A53
                                                                              • Helper process exited, but failed to get exit code., xrefs: 00456A5F
                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 004569DD
                                                                              • Helper isn't responding; killing it., xrefs: 004569F7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                              • API String ID: 3355656108-1243109208
                                                                              • Opcode ID: dfa879da1190b2b5009c71c39ad4c581381385d4e8d941786017907b195d6b18
                                                                              • Instruction ID: c2c67eabc059fe092fc353f7c4ae25755d0186064ff77fbf3dc6ddb5515218cf
                                                                              • Opcode Fuzzy Hash: dfa879da1190b2b5009c71c39ad4c581381385d4e8d941786017907b195d6b18
                                                                              • Instruction Fuzzy Hash: 01217F70604B409AD720EB79C44575BBAD4AF09305F41C92FF88ADB283D67CEC48CB2A
                                                                              Function 004529E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DBFC: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC28
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452B07
                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452C43
                                                                                • Part of subcall function 0042E650: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452A4F
                                                                              • RegCreateKeyEx, xrefs: 00452A7B
                                                                              • , xrefs: 00452A69
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452A1F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2481121983-1280779767
                                                                              • Opcode ID: b4152d01e9ccb9eb4bc95eb9c39ab26bb747a47f82ef17865a926b6aa4eed433
                                                                              • Instruction ID: 49df277322c3e2db58ac68d73aa7608868f9f3aba76e608e184ece725d7364fe
                                                                              • Opcode Fuzzy Hash: b4152d01e9ccb9eb4bc95eb9c39ab26bb747a47f82ef17865a926b6aa4eed433
                                                                              • Instruction Fuzzy Hash: BA81EF75A00209ABDB01DFD5C941BEEB7B9EF49305F50442BF901F7282D778AA058B69
                                                                              Function 0048DFCC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00451EB8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FA7
                                                                                • Part of subcall function 00451EB8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FB7
                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048E049
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0048E19D), ref: 0048E06A
                                                                              • CreateWindowExA.USER32(00000000,STATIC,0048E1AC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0048E091
                                                                              • SetWindowLongA.USER32(?,000000FC,0048D808), ref: 0048E0A4
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000,STATIC,0048E1AC), ref: 0048E0D4
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0048E148
                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000), ref: 0048E154
                                                                                • Part of subcall function 00452208: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004522EF
                                                                              • 73A25CF0.USER32(?,0048E177,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000,STATIC), ref: 0048E16A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                              • API String ID: 170458502-2312673372
                                                                              • Opcode ID: dc2ba642abb86ea17383190dbdf621dce8a3c7c04dc03325410c7583d4026f4c
                                                                              • Instruction ID: 807ddb41360c8efece4b1568f7706e44eaacfe1c0b7f64554d9e502e80a4ee61
                                                                              • Opcode Fuzzy Hash: dc2ba642abb86ea17383190dbdf621dce8a3c7c04dc03325410c7583d4026f4c
                                                                              • Instruction Fuzzy Hash: E4413E70A40208AEDB01FBA6DD46F9E77B8EB09704F50497AF510F72D1D6799A008BA8
                                                                              Function 0042EA48 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042EA54
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA68
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EA75
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EA82
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042EACE
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB0C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: 8242dbb534a797f2e20caac98c5d5e9c56e387a0feba33b4bb569f2e28a29b6e
                                                                              • Instruction ID: 46d8cee8fd820ad79b722f42caeb789437fd50e402c398a58b8d459d0228c479
                                                                              • Opcode Fuzzy Hash: 8242dbb534a797f2e20caac98c5d5e9c56e387a0feba33b4bb569f2e28a29b6e
                                                                              • Instruction Fuzzy Hash: 6421F2717006246BD710DA69DC81F3B36D8EB84720F09452AF941DB386EA79EC008B99
                                                                              Function 0045D824 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0045D830
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045D844
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045D851
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045D85E
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0045D8AA
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045D8E8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: d62e44f587709394466ea37500aaa1b5e2f432790840747db7898da7f77e3b37
                                                                              • Instruction ID: 23bfedf7228fbea826d1c83b7972dd770d1dbaeaf2fc29a59ee8661fa47205f9
                                                                              • Opcode Fuzzy Hash: d62e44f587709394466ea37500aaa1b5e2f432790840747db7898da7f77e3b37
                                                                              • Instruction Fuzzy Hash: 59218075A016046BD720AA68CC81F3B32D9EF94B11F09453AFD44DB396DA78DC048B99
                                                                              Function 00456B8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00456D6B,?,00000000,00456DCE,?,?,02113858,00000000), ref: 00456BE9
                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02113858,?,00000000,00456D00,?,00000000,00000001,00000000,00000000,00000000,00456D6B), ref: 00456C46
                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02113858,?,00000000,00456D00,?,00000000,00000001,00000000,00000000,00000000,00456D6B), ref: 00456C53
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00456C9F
                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00456CD9,?,-00000020,0000000C,-00002034,00000014,02113858,?,00000000,00456D00,?,00000000), ref: 00456CC5
                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00456CD9,?,-00000020,0000000C,-00002034,00000014,02113858,?,00000000,00456D00,?,00000000), ref: 00456CCC
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                              • API String ID: 2182916169-3012584893
                                                                              • Opcode ID: cb038afbe5e32e3b67a98964ed7a4267f362b69b3ea10aabd8e2ebb65ae4cf67
                                                                              • Instruction ID: 0b2cd44f18195d098fe370dcd7d1a83bd0e3d21fbcb88504b42bcbfe0ef11783
                                                                              • Opcode Fuzzy Hash: cb038afbe5e32e3b67a98964ed7a4267f362b69b3ea10aabd8e2ebb65ae4cf67
                                                                              • Instruction Fuzzy Hash: 6D41C070A00608EFDB15DF95C981F9EB7F9FB08314F5144AAF904E7692D6789E44CB28
                                                                              Function 004549AC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454B11,?,?,00000031,?), ref: 004549D4
                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004549DA
                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00454A27
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                              • API String ID: 1914119943-2711329623
                                                                              • Opcode ID: 39aff9fd92ac34b112b7b81d9150acff83df3ca0beae7ab2c7a1e7b9ae44b984
                                                                              • Instruction ID: 2fecba792ef182a2466fe38d60bbc26a4af48833be0fcc9fef50ef1eb8159f68
                                                                              • Opcode Fuzzy Hash: 39aff9fd92ac34b112b7b81d9150acff83df3ca0beae7ab2c7a1e7b9ae44b984
                                                                              • Instruction Fuzzy Hash: DB31B471A40604AFDB51EFAACC11E5BB7FDEBC87097118466B800DB752DA38DD84C728
                                                                              Function 0042E254 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E359,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,00479638), ref: 0042E27D
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E283
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E359,?,?,00000001,00000000,?,?,00000001), ref: 0042E2D1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-2401316094
                                                                              • Opcode ID: aee9e43cdfe22e88d61aa29f3bcb7d8aea1058badab76d7c86637c7a275ef629
                                                                              • Instruction ID: 1e41f63d3423b93723c579b73569ceba8d094b42876aecad42777c776dcbffe9
                                                                              • Opcode Fuzzy Hash: aee9e43cdfe22e88d61aa29f3bcb7d8aea1058badab76d7c86637c7a275ef629
                                                                              • Instruction Fuzzy Hash: 3B213230B00219EBDB10EAA7EC55A9F77A8EB44705F904477A900E7281D7789A058B5C
                                                                              Function 00416D18 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RectVisible.GDI32(?,?), ref: 00416DAB
                                                                              • SaveDC.GDI32(?), ref: 00416DBF
                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DE2
                                                                              • RestoreDC.GDI32(?,?), ref: 00416DFD
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416E7D
                                                                              • FrameRect.USER32(?,?,?), ref: 00416EB0
                                                                              • DeleteObject.GDI32(?), ref: 00416EBA
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416ECA
                                                                              • FrameRect.USER32(?,?,?), ref: 00416EFD
                                                                              • DeleteObject.GDI32(?), ref: 00416F07
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                              • String ID:
                                                                              • API String ID: 375863564-0
                                                                              • Opcode ID: 2b4479f134976cc427de4a13722bf7e05ec00857587bc7c9256bd6560d63d54d
                                                                              • Instruction ID: 850ea02e8a9b4343556f2283201a74973d1cf55a7a3e638d9b74352119c9255d
                                                                              • Opcode Fuzzy Hash: 2b4479f134976cc427de4a13722bf7e05ec00857587bc7c9256bd6560d63d54d
                                                                              • Instruction Fuzzy Hash: 08513B712087456BDB40EF29C8C0B9B77E8AF48314F15466AFD48CB286C738EC81CB99
                                                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                              Function 00422180 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 004221CB
                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221E9
                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221F6
                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422203
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422210
                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042221D
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042222A
                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422237
                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00422255
                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422271
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                              • String ID:
                                                                              • API String ID: 3985193851-0
                                                                              • Opcode ID: b84500d1bdba627e370d31b1c166d2edc07ccc1ebccfb2c409e249d02a917cae
                                                                              • Instruction ID: e278505ce02f2bd95d30b17d407da9a210706e4ddb61a2b096333af5bd30a6f5
                                                                              • Opcode Fuzzy Hash: b84500d1bdba627e370d31b1c166d2edc07ccc1ebccfb2c409e249d02a917cae
                                                                              • Instruction Fuzzy Hash: E4212170344744BAEB25DB25DD8BFAB7AD89B08748F0440A5B6447F2D3C6FDAE408698
                                                                              Function 00479B40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(10000000), ref: 00479CE8
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00479CFC
                                                                              • SendNotifyMessageA.USER32(00020470,00000496,00002710,00000000), ref: 00479D61
                                                                              Strings
                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 00479D1D
                                                                              • Deinitializing Setup., xrefs: 00479B5E
                                                                              • DeinitializeSetup, xrefs: 00479BF9
                                                                              • Restarting Windows., xrefs: 00479D3C
                                                                              • GetCustomSetupExitCode, xrefs: 00479B9D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3817813901-1884538726
                                                                              • Opcode ID: 897b73cd04819112cf29f50d09c30dd7b4bb71156158dbfbf11bdf57731a2d04
                                                                              • Instruction ID: 95ec44850c5e7f1ab6df3571a5df09eca163523de8b7c581315cb161254197e5
                                                                              • Opcode Fuzzy Hash: 897b73cd04819112cf29f50d09c30dd7b4bb71156158dbfbf11bdf57731a2d04
                                                                              • Instruction Fuzzy Hash: 0051B534604200AFDB25DB75EA95B9A77E4FB19314F5084BBF808C73A1DB789C44CB59
                                                                              Function 0045C55C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                              • SHGetMalloc.SHELL32(?), ref: 0045C597
                                                                              • GetActiveWindow.USER32 ref: 0045C5FB
                                                                              • CoInitialize.OLE32(00000000), ref: 0045C60F
                                                                              • SHBrowseForFolder.SHELL32(?), ref: 0045C626
                                                                              • CoUninitialize.OLE32(0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C63B
                                                                              • SetActiveWindow.USER32(?,0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C651
                                                                              • SetActiveWindow.USER32(?,?,0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C65A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow$BrowseCharFolderInitializeMallocPrevUninitialize
                                                                              • String ID: A
                                                                              • API String ID: 1128911707-3554254475
                                                                              • Opcode ID: 6aca2d0e9cbc55331362c9f13a24fd18a5e61b9df52d4a6d90436bd4c2941ac8
                                                                              • Instruction ID: 312b670ea087426fa006e960c8e3cb0182f30903be6f12de62926b3b68f49f37
                                                                              • Opcode Fuzzy Hash: 6aca2d0e9cbc55331362c9f13a24fd18a5e61b9df52d4a6d90436bd4c2941ac8
                                                                              • Instruction Fuzzy Hash: 68311270E00318AFDB00DFA6D886A9EBBF8EB09304F51447AF804E7252D6785A44CF59
                                                                              Function 0045A628 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045A631
                                                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045A641
                                                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045A651
                                                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045A661
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                              • API String ID: 190572456-3516654456
                                                                              • Opcode ID: bed0c592b19218b302000e891b177588dd892a96f65053ab4286eee6aeb3e139
                                                                              • Instruction ID: cf36547cdd1c597f200aca6fe346d891c24020020a55e697658b05d70f56f1d0
                                                                              • Opcode Fuzzy Hash: bed0c592b19218b302000e891b177588dd892a96f65053ab4286eee6aeb3e139
                                                                              • Instruction Fuzzy Hash: 8B018FB052030ADEDB04DF32ACC03263695A364386F18C23B9C80552BBD77C045ECE0E
                                                                              Function 0041A874 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A951
                                                                              • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A98B
                                                                              • SetBkColor.GDI32(?,?), ref: 0041A9A0
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9EA
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041A9F5
                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA05
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA44
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA4E
                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AA5B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Color$StretchText
                                                                              • String ID:
                                                                              • API String ID: 2984075790-0
                                                                              • Opcode ID: 82eb3282d304b9e306b0c803916e6de8b4d2ecf1cc2efc0374c785e0eba7f8b3
                                                                              • Instruction ID: b784b2327dbbb77ad5e653bb99e7467a243cec1ed61aaa3db7693e9945dbbb21
                                                                              • Opcode Fuzzy Hash: 82eb3282d304b9e306b0c803916e6de8b4d2ecf1cc2efc0374c785e0eba7f8b3
                                                                              • Instruction Fuzzy Hash: 8661D5B5A00505EFCB40EFA9D985E9ABBF8AF08314B10856AF518EB251C734ED41CF68
                                                                              Function 00455B98 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00455D4C,?, /s ",?,regsvr32.exe",?,00455D4C), ref: 00455CBE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDirectoryHandleSystem
                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                              • API String ID: 2051275411-1862435767
                                                                              • Opcode ID: d409af3b62711a3076e859fe1edcb2bd93033f39dd478d898bc79be760b67c24
                                                                              • Instruction ID: f93e42548513463b2b05d38e92dfbbb413aec739801f17940c66c8f0f6709406
                                                                              • Opcode Fuzzy Hash: d409af3b62711a3076e859fe1edcb2bd93033f39dd478d898bc79be760b67c24
                                                                              • Instruction Fuzzy Hash: 34412871A007486BDB01EFD5C895BDDBBF9AF48305F50807BA904BB292D7789A0D8B58
                                                                              Function 0044C7B8 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044C7E9
                                                                              • GetSysColor.USER32(00000014), ref: 0044C7F0
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044C808
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C831
                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044C83B
                                                                              • GetSysColor.USER32(00000010), ref: 0044C842
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044C85A
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C883
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C8AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 1005981011-0
                                                                              • Opcode ID: 30f91df4a71e18c366fa4ac339b52cd210d811b7e5c4f372080e0ad89e8fee32
                                                                              • Instruction ID: 2a2be0ad8b0691fe77ec280b759a10f9387e8c7ee22b4e90c7d38d23f746949b
                                                                              • Opcode Fuzzy Hash: 30f91df4a71e18c366fa4ac339b52cd210d811b7e5c4f372080e0ad89e8fee32
                                                                              • Instruction Fuzzy Hash: CE21CFB42015047FC710FB6ACD8AE9B7BDCDF19319B00857AB914EB3A3C678DE444669
                                                                              Function 0044C8BC Relevance: 12.5, APIs: 8, Instructions: 470windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000129,00000000,00000000), ref: 0044C93C
                                                                              • LineDDA.GDI32(?,?,?,?,Function_0004C1D0,?), ref: 0044CACA
                                                                              • LineDDA.GDI32(?,?,?,?,Function_0004C1D0,?), ref: 0044CAEE
                                                                              • DrawFrameControl.USER32(00000000,?,00000004,00000000), ref: 0044CBFD
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044CD01
                                                                              • OffsetRect.USER32(00000000,00000000,?), ref: 0044CDA5
                                                                              • InflateRect.USER32(?,00000001,00000001), ref: 0044CE75
                                                                              • SetTextColor.GDI32(00000000,?), ref: 0044CE90
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ColorLineRectText$ControlDrawFrameInflateMessageOffsetSend
                                                                              • String ID:
                                                                              • API String ID: 1642711622-0
                                                                              • Opcode ID: c162d4d4ab7fe6bdd2b280a660b7ccb70823943b853891b9da56872a7fedd913
                                                                              • Instruction ID: aab2c2958e40563fd7b5a3b28404d6d88fc7052fb7213ce4f794ec1ca1f8e607
                                                                              • Opcode Fuzzy Hash: c162d4d4ab7fe6bdd2b280a660b7ccb70823943b853891b9da56872a7fedd913
                                                                              • Instruction Fuzzy Hash: F8122D75A01148EFEB51CBA8C9C5BEEBBF1AF08304F1841A6E544E7352D738AE41DB58
                                                                              Function 0048D854 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044FAC4: SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                                • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0048D8E5
                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 0048D8F9
                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0048D913
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D91F
                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D925
                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D938
                                                                              Strings
                                                                              • Deleting Uninstall data files., xrefs: 0048D85B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                              • String ID: Deleting Uninstall data files.
                                                                              • API String ID: 1570157960-2568741658
                                                                              • Opcode ID: 9dfa323906793c6f841641a99689aa4eafbf58b23862c522f440eb2f98913c12
                                                                              • Instruction ID: 209b9e5c2b4f5f57db00f4d5fd6a7dbc7a9b1f0f3c600cc8da1eae757a0435bc
                                                                              • Opcode Fuzzy Hash: 9dfa323906793c6f841641a99689aa4eafbf58b23862c522f440eb2f98913c12
                                                                              • Instruction Fuzzy Hash: 9821BF70604201BAE724BB76ED82F2B339CEB18718F10083BF915962E2D6BC9C04CB1C
                                                                              Function 00469DD8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00469ED5,?,?,?,?,00000000), ref: 00469E3F
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00469ED5), ref: 00469E56
                                                                              • AddFontResourceA.GDI32(00000000), ref: 00469E73
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00469E87
                                                                              Strings
                                                                              • AddFontResource, xrefs: 00469E91
                                                                              • Failed to open Fonts registry key., xrefs: 00469E5D
                                                                              • Failed to set value in Fonts registry key., xrefs: 00469E48
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                              • API String ID: 955540645-649663873
                                                                              • Opcode ID: d9cbe27344ecb8c4aa0202ea79dcf8b7b8f313dac1d3cddb77c4eab689a5c6c9
                                                                              • Instruction ID: bc8230094c51973cdf8ecbb45d8da8cae8d52365a8c04d6daf9ccbb674275915
                                                                              • Opcode Fuzzy Hash: d9cbe27344ecb8c4aa0202ea79dcf8b7b8f313dac1d3cddb77c4eab689a5c6c9
                                                                              • Instruction Fuzzy Hash: 2521B2757402047BEB10EA668D42F6E67ADDB05B04F144037F900EB3C2EABDDE06866E
                                                                              Function 0045DC64 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004163A8: GetClassInfoA.USER32(00400000,?,?), ref: 00416417
                                                                                • Part of subcall function 004163A8: UnregisterClassA.USER32(?,00400000), ref: 00416443
                                                                                • Part of subcall function 004163A8: RegisterClassA.USER32(?), ref: 00416466
                                                                              • GetVersion.KERNEL32 ref: 0045DC94
                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045DCD2
                                                                              • SHGetFileInfo.SHELL32(0045DD70,00000000,?,00000160,00004011), ref: 0045DCEF
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0045DD0D
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,0045DD70,00000000,?,00000160,00004011), ref: 0045DD13
                                                                              • SetCursor.USER32(?,0045DD53,00007F02,0045DD70,00000000,?,00000160,00004011), ref: 0045DD46
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                              • String ID: Explorer
                                                                              • API String ID: 2594429197-512347832
                                                                              • Opcode ID: a0491db32c50bbc4a8ba45f86c18b660a4711bab698f70a02f8a1103d4161a36
                                                                              • Instruction ID: 08bbecee416fa481ca426edc0ff8b3b93b80f74de7e483e45fe9000b0b83ebe9
                                                                              • Opcode Fuzzy Hash: a0491db32c50bbc4a8ba45f86c18b660a4711bab698f70a02f8a1103d4161a36
                                                                              • Instruction Fuzzy Hash: 2A210D70B403046BD721BF759C47BAA76A89F04709F51407FBE05EA2D3D9BD4C09969C
                                                                              Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(00491420,00000000,00401B68), ref: 00401ABD
                                                                              • LocalFree.KERNEL32(00772A20,00000000,00401B68), ref: 00401ACF
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,00772A20,00000000,00401B68), ref: 00401AEE
                                                                              • LocalFree.KERNEL32(00770E48,?,00000000,00008000,00772A20,00000000,00401B68), ref: 00401B2D
                                                                              • RtlLeaveCriticalSection.KERNEL32(00491420,00401B6F), ref: 00401B58
                                                                              • RtlDeleteCriticalSection.KERNEL32(00491420,00401B6F), ref: 00401B62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID: *w
                                                                              • API String ID: 3782394904-1711716165
                                                                              • Opcode ID: 09ee6c1da519e67de8fc9665d92e8d709827becec73d0652864b25fce379c00b
                                                                              • Instruction ID: 6c3561cac3bf455cb8eb58d504ab1afe898de9fb7a31b5eede02c33905ddd1bf
                                                                              • Opcode Fuzzy Hash: 09ee6c1da519e67de8fc9665d92e8d709827becec73d0652864b25fce379c00b
                                                                              • Instruction Fuzzy Hash: E111E330B003425AEB15AB759C82F263BE8976974CF44047BF40067AF1D77C9880C76E
                                                                              Function 004575DC Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045775E,?,00000000,?,00000000,?,00000005,?,00000000,0048E932,?,00000000,0048E9CD), ref: 004576A2
                                                                                • Part of subcall function 004528AC: FindClose.KERNEL32(000000FF,004529A2), ref: 00452991
                                                                              Strings
                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00457717
                                                                              • Stripped read-only attribute., xrefs: 00457664
                                                                              • Failed to delete directory (%d)., xrefs: 00457738
                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 004576BB
                                                                              • Deleting directory: %s, xrefs: 0045762B
                                                                              • Failed to strip read-only attribute., xrefs: 00457670
                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045767C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseErrorFindLast
                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                              • API String ID: 754982922-1448842058
                                                                              • Opcode ID: 9f29d42d182642dc7537c337c93dd12fef561ecf4bb696dfeb710090d7bd2c0d
                                                                              • Instruction ID: 4f4014777126b0eb11497ab7f6fbe238aea69b0e2e44dabb33df59121be7d4f6
                                                                              • Opcode Fuzzy Hash: 9f29d42d182642dc7537c337c93dd12fef561ecf4bb696dfeb710090d7bd2c0d
                                                                              • Instruction Fuzzy Hash: CD41D630A082089ACB10EB6DA8017AF76EA5F4D316F50857BAC01D7393DB7C990DC75E
                                                                              Function 00422DE8 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCapture.USER32 ref: 00422E3C
                                                                              • GetCapture.USER32 ref: 00422E4B
                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E51
                                                                              • ReleaseCapture.USER32 ref: 00422E56
                                                                              • GetActiveWindow.USER32 ref: 00422E65
                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EE4
                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F48
                                                                              • GetActiveWindow.USER32 ref: 00422F57
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                              • String ID:
                                                                              • API String ID: 862346643-0
                                                                              • Opcode ID: 8be18079083153025e28215423c98a3a5ee7483c780cd63c3c6e06037c3e0d94
                                                                              • Instruction ID: e78f67eba533dd0e8fe9397a7718bd7d4daaa515340af2ace1e4958662264751
                                                                              • Opcode Fuzzy Hash: 8be18079083153025e28215423c98a3a5ee7483c780cd63c3c6e06037c3e0d94
                                                                              • Instruction Fuzzy Hash: C4415370B00254AFDB11EB69DA42B9D77F1EF08304F5540BAF454AB2A2DBB89E40DB18
                                                                              Function 00429418 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000), ref: 00429422
                                                                              • GetTextMetricsA.GDI32(00000000), ref: 0042942B
                                                                                • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0042943A
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00429447
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0042944E
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00429456
                                                                              • GetSystemMetrics.USER32(00000006), ref: 0042947B
                                                                              • GetSystemMetrics.USER32(00000006), ref: 00429495
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                              • String ID:
                                                                              • API String ID: 361401722-0
                                                                              • Opcode ID: 612241d76cd041ebb592b6140f8317f7295879649094e6a1feb7cdb4f14421fa
                                                                              • Instruction ID: 007c710f23a5f67dcdc67497f4127ea26f0e4cdf06179a8ebee1bfcd4cab9f19
                                                                              • Opcode Fuzzy Hash: 612241d76cd041ebb592b6140f8317f7295879649094e6a1feb7cdb4f14421fa
                                                                              • Instruction Fuzzy Hash: 7F01E1917087102AF710B67A9CC2F6B56C8DB84368F84053BFB469A3D3D56C8C41822A
                                                                              Function 0041DDBC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,00418FF1,0048FB31), ref: 0041DDBF
                                                                              • 73A24620.GDI32(00000000,0000005A,00000000,?,00418FF1,0048FB31), ref: 0041DDC9
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FF1,0048FB31), ref: 0041DDD6
                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDE5
                                                                              • GetStockObject.GDI32(00000007), ref: 0041DDF3
                                                                              • GetStockObject.GDI32(00000005), ref: 0041DDFF
                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE0B
                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE1C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectStock$A24620A480A570IconLoad
                                                                              • String ID:
                                                                              • API String ID: 3573811560-0
                                                                              • Opcode ID: 912f4a9c34cfc530e73c180af0cee4fbb319550339a6bda1beb8bc949a239008
                                                                              • Instruction ID: a1397b4ca46e960c86eb9c90a61334d197680284bcb8e78615aa9deb819e0443
                                                                              • Opcode Fuzzy Hash: 912f4a9c34cfc530e73c180af0cee4fbb319550339a6bda1beb8bc949a239008
                                                                              • Instruction Fuzzy Hash: 00114270A453425FE740FF795D92BA63694DB24749F04803FF6049F2E2DAB90C448B5E
                                                                              Function 0045E074 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0045E178
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045E20D), ref: 0045E17E
                                                                              • SetCursor.USER32(?,0045E1F5,00007F02,00000000,0045E20D), ref: 0045E1E8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load
                                                                              • String ID: $ $Internal error: Item already expanding
                                                                              • API String ID: 1675784387-1948079669
                                                                              • Opcode ID: 66374a5f3efa02b7eac811ea75e7dcf2f4ac446ef057e9007c28aec30eb8c590
                                                                              • Instruction ID: c82b97671206bee37f0607cceb23effa6a4e75b439f128a9d47cc80576d1f72f
                                                                              • Opcode Fuzzy Hash: 66374a5f3efa02b7eac811ea75e7dcf2f4ac446ef057e9007c28aec30eb8c590
                                                                              • Instruction Fuzzy Hash: 0BB1BF30600644DFDB18DF6AC585B9EBBF1AF05305F1484AAEC45AB393C778AE48CB58
                                                                              Function 00452208 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004522EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                              • API String ID: 390214022-3304407042
                                                                              • Opcode ID: 57e511164ddf90741d7758b7c9a13bb3c82f412bb4ef4ea546e5bbdc2eaeadbe
                                                                              • Instruction ID: b880a8d602179d00a68da039191d74026ef7de6d8b5abd19fd3f1fbe25940c28
                                                                              • Opcode Fuzzy Hash: 57e511164ddf90741d7758b7c9a13bb3c82f412bb4ef4ea546e5bbdc2eaeadbe
                                                                              • Instruction Fuzzy Hash: 7B910030E00209ABDB11EFA5D951BDEB7F5AB49305F508477E800B7292D7BCAE09CB59
                                                                              Function 004086B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004088F8,?,?,?,?,00000000,00000000,00000000,?,004098FF,00000000,00409912), ref: 004086CA
                                                                                • Part of subcall function 004084F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                                • Part of subcall function 00408544: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408746,?,?,?,00000000,004088F8), ref: 00408557
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 6398917eba9f35c605718211014c2823ca990c2dd622e63239acadafc300ca0e
                                                                              • Instruction ID: 703e3be491a9815772bafdc7c7c0f7b6202b522d2c3e8d150354549465e5c921
                                                                              • Opcode Fuzzy Hash: 6398917eba9f35c605718211014c2823ca990c2dd622e63239acadafc300ca0e
                                                                              • Instruction Fuzzy Hash: 4C512E34B002496BDB01FBA98941A9E6769DB88308F50D47FB151BB3C7DE3CDA05971D
                                                                              Function 0041168C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000000,00411891), ref: 00411724
                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117E2
                                                                                • Part of subcall function 00411A44: CreatePopupMenu.USER32 ref: 00411A5E
                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0041186E
                                                                                • Part of subcall function 00411A44: CreateMenu.USER32 ref: 00411A68
                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411855
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                              • String ID: ,$?
                                                                              • API String ID: 2359071979-2308483597
                                                                              • Opcode ID: e5589ed52d94a77d0cb5df33b8defa0bad6be3346ecc0a13e21e61dc1078d7ae
                                                                              • Instruction ID: 4db3e36a1824f200769957cd3722fd4d3721cc561e15579b2661ccf42d753284
                                                                              • Opcode Fuzzy Hash: e5589ed52d94a77d0cb5df33b8defa0bad6be3346ecc0a13e21e61dc1078d7ae
                                                                              • Instruction Fuzzy Hash: 1851F374A00144ABDB10EF6ADC816EA7BF9AF09304B1585BBF944E73A2D738DD418B58
                                                                              Function 0041BDFB Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BEC0
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BECF
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF20
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF2E
                                                                              • DeleteObject.GDI32(?), ref: 0041BF37
                                                                              • DeleteObject.GDI32(?), ref: 0041BF40
                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF5D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                              • String ID:
                                                                              • API String ID: 1030595962-0
                                                                              • Opcode ID: baa1e2450b9de5372d0f55cbf5966268843ca39ceb3fdf4c807e45b67f8a2b96
                                                                              • Instruction ID: 52ef36e9ff3e7ee1873761fb219a6cc292be1c227624e33a65ab7470414a0116
                                                                              • Opcode Fuzzy Hash: baa1e2450b9de5372d0f55cbf5966268843ca39ceb3fdf4c807e45b67f8a2b96
                                                                              • Instruction Fuzzy Hash: BE512475E00219AFCB14DFA9C8819EEB7F9EF48310B11856AF904E7391D738AD81CB64
                                                                              Function 0041CE70 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE96
                                                                              • 73A24620.GDI32(00000000,00000026), ref: 0041CEB5
                                                                              • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF1B
                                                                              • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF2A
                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF94
                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFD2
                                                                              • 73A18830.GDI32(?,?,00000001,0041D004,00000000,00000026), ref: 0041CFF7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Stretch$A18830$A122A24620BitsMode
                                                                              • String ID:
                                                                              • API String ID: 430401518-0
                                                                              • Opcode ID: 9e2462167f5f006b5608fcda1c138d935c6fdca52f4aea3d1b3962bd622f2fd5
                                                                              • Instruction ID: 8fe7590bed3a2b21df9441d61fef16a42200e798c73637f143c0dae3db67bcae
                                                                              • Opcode Fuzzy Hash: 9e2462167f5f006b5608fcda1c138d935c6fdca52f4aea3d1b3962bd622f2fd5
                                                                              • Instruction Fuzzy Hash: 0A513CB0600604AFDB14DFA8C985F9BBBE9EF08304F10859AB545DB292C779ED81CB58
                                                                              Function 00454DBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,?,?), ref: 00454E0E
                                                                                • Part of subcall function 00424214: GetWindowTextA.USER32(?,?,00000100), ref: 00424234
                                                                                • Part of subcall function 0041EE3C: GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                                • Part of subcall function 0041EE3C: 73A25940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                                • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00454E75
                                                                              • TranslateMessage.USER32(?), ref: 00454E93
                                                                              • DispatchMessageA.USER32(?), ref: 00454E9C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                                              • String ID: [Paused]
                                                                              • API String ID: 3047529653-4230553315
                                                                              • Opcode ID: 4f798f37858d44f966a921b0a713bfb36e5d8fa224b4acffba2fd680211b14e4
                                                                              • Instruction ID: c67b15ba7ba9377d1b555b91e6b5493cd0b2d6e8e49ab6c2c63db39a0fb9b19d
                                                                              • Opcode Fuzzy Hash: 4f798f37858d44f966a921b0a713bfb36e5d8fa224b4acffba2fd680211b14e4
                                                                              • Instruction Fuzzy Hash: 1831D9319042489EDB11DBBADC46BDE7BB8EB89318F554077F800E7292D73C9949C728
                                                                              Function 00465948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursor.USER32(00000000,00465A87), ref: 00465A04
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00465A12
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,00465A87), ref: 00465A18
                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,00465A87), ref: 00465A22
                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,00465A87), ref: 00465A28
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LoadSleep
                                                                              • String ID: CheckPassword
                                                                              • API String ID: 4023313301-1302249611
                                                                              • Opcode ID: 5acb36fa3ab63af13457b52ddd306d446ecbf4b2c6308f3e70f3e2f2757089f7
                                                                              • Instruction ID: 906901c5ed80ca143d06c2c25e6ac4f6bba4f83609b33dd2e821a61b899a1fac
                                                                              • Opcode Fuzzy Hash: 5acb36fa3ab63af13457b52ddd306d446ecbf4b2c6308f3e70f3e2f2757089f7
                                                                              • Instruction Fuzzy Hash: 6231B374644604AFD701EF69C9CAB9E7BE0AF05314F4580B6F9049B3A2EB789E44CB49
                                                                              Function 00470D68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00470C90: GetWindowThreadProcessId.USER32(00000000), ref: 00470C98
                                                                                • Part of subcall function 00470C90: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00470D8F,00491F50,00000000), ref: 00470CAB
                                                                                • Part of subcall function 00470C90: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00470CB1
                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00471122), ref: 00470D9D
                                                                              • GetTickCount.KERNEL32 ref: 00470DE2
                                                                              • GetTickCount.KERNEL32 ref: 00470DEC
                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00470E41
                                                                              Strings
                                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 00470DD2
                                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 00470E2A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                              • API String ID: 613034392-3771334282
                                                                              • Opcode ID: 2b24747447efea9910953d41e46288f8d27ae03b12631b6b7684711cd3e840e1
                                                                              • Instruction ID: cff2d624cb7c179440d5232b3ebdd9a31325d9052a06e940395f83d14b46c5bf
                                                                              • Opcode Fuzzy Hash: 2b24747447efea9910953d41e46288f8d27ae03b12631b6b7684711cd3e840e1
                                                                              • Instruction Fuzzy Hash: 8931A074B012159EDB10EBB988867EEB7A5AF04304F50853BF148EB392D67C9E01CB9D
                                                                              Function 0041C0E0 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041BFE0: GetObjectA.GDI32(?,00000018), ref: 0041BFED
                                                                              • GetFocus.USER32 ref: 0041C100
                                                                              • 73A1A570.USER32(?), ref: 0041C10C
                                                                              • 73A18830.GDI32(?,?,00000000,00000000,0041C18B,?,?), ref: 0041C12D
                                                                              • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C18B,?,?), ref: 0041C139
                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C150
                                                                              • 73A18830.GDI32(?,00000000,00000000,0041C192,?,?), ref: 0041C178
                                                                              • 73A1A480.USER32(?,?,0041C192,?,?), ref: 0041C185
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A480A570BitsFocusObject
                                                                              • String ID:
                                                                              • API String ID: 2231653193-0
                                                                              • Opcode ID: 9bc0f7e3173584325c782497405155f3155e601279aa2de4800843ea242170ed
                                                                              • Instruction ID: fd89d4ca8a39aecffd2b164b8e5ecdcf718e57c46113e586f0865db98b33e030
                                                                              • Opcode Fuzzy Hash: 9bc0f7e3173584325c782497405155f3155e601279aa2de4800843ea242170ed
                                                                              • Instruction Fuzzy Hash: 2D113A71A44608BBDB10DBA9CC85FAFB7FCEF48704F15846AB514E7281D67899408B68
                                                                              Function 00418BEC Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C08
                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C10
                                                                              • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C16
                                                                                • Part of subcall function 00409948: 6F52C400.COMCTL32(00491628,000000FF,00000000,00418C44,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0040994C
                                                                              • 6F59CB00.COMCTL32(00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C66
                                                                              • 6F59C740.COMCTL32(00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C71
                                                                              • 6F59CB00.COMCTL32(00491628,00000001,?,?,00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000), ref: 00418C84
                                                                              • 6F530860.COMCTL32(00491628,00418CA7,?,00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E), ref: 00418C9A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$C400C740F530860F532980
                                                                              • String ID:
                                                                              • API String ID: 209721339-0
                                                                              • Opcode ID: 95b0c7ca0d7cac73c6eea64bc8ab2c9a66b46d4975db43f43db6c18caaa08e82
                                                                              • Instruction ID: 7d058e0f43661e12853d483bbd2d38206b0156f2441a7355af2e3191ff54fcf4
                                                                              • Opcode Fuzzy Hash: 95b0c7ca0d7cac73c6eea64bc8ab2c9a66b46d4975db43f43db6c18caaa08e82
                                                                              • Instruction Fuzzy Hash: 8A116A75B44204BBDB10EBA5DC82F5DB3B8D708714F50446AF504F73D2E9799D408758
                                                                              Function 0047BB6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047BC24), ref: 0047BC09
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                              • API String ID: 47109696-2530820420
                                                                              • Opcode ID: 4044e7b086cadd3071d4caf39d8bf01831a59107471790ea0f341c578cb3ef7e
                                                                              • Instruction ID: c6c292f7dfd23322384e3be2176fee0a6b796c43d5aa8ac4acdd36b8a0573059
                                                                              • Opcode Fuzzy Hash: 4044e7b086cadd3071d4caf39d8bf01831a59107471790ea0f341c578cb3ef7e
                                                                              • Instruction Fuzzy Hash: 96118E30704248AFDB02DB618D46BDB7BA8DB55304F51C4BAE805EB296DF7CDA019B9C
                                                                              Function 0048C53C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,?,00000000), ref: 0048C54D
                                                                                • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0048C56F
                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048C9CD), ref: 0048C583
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 0048C5A5
                                                                              • 73A1A480.USER32(00000000,00000000,0048C5CF,0048C5C8,?,00000000,?,?,00000000), ref: 0048C5C2
                                                                              Strings
                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048C57A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                              • API String ID: 1435929781-222967699
                                                                              • Opcode ID: 17f16a66e5675f115f6803e4db0079e40b65780344f80d4b010a3b8f4350dcaf
                                                                              • Instruction ID: 0ff1e4635251b10658a1aad062618ac87834e4e23b153399c5fc0279f3a45a1b
                                                                              • Opcode Fuzzy Hash: 17f16a66e5675f115f6803e4db0079e40b65780344f80d4b010a3b8f4350dcaf
                                                                              • Instruction Fuzzy Hash: 46018476A44608BFEB01EBA9CC41F5EB7ECDB49704F51047AF604E7281D678AE008B68
                                                                              Function 0041B3FA Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B408
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B417
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B443
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B451
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B45F
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B468
                                                                              • DeleteDC.GDI32(?), ref: 0041B471
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                              • String ID:
                                                                              • API String ID: 1458357782-0
                                                                              • Opcode ID: e4e7a4441f722d2d5e932f48c3d098eb8dadb36e85857d194763780bb1c34f35
                                                                              • Instruction ID: c4fd92bf3a7a130a1ed603e8460332665172ba9f71e0f7226dd7a911700bf555
                                                                              • Opcode Fuzzy Hash: e4e7a4441f722d2d5e932f48c3d098eb8dadb36e85857d194763780bb1c34f35
                                                                              • Instruction Fuzzy Hash: 9E114C72E00655ABDF10DAD9D885FAFB3BCEF08704F048456B714FB241C678A8418B54
                                                                              Function 0042332C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 00423347
                                                                              • WindowFromPoint.USER32(?,?), ref: 00423354
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423362
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00423369
                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 00423382
                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423399
                                                                              • SetCursor.USER32(00000000), ref: 004233AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                              • String ID:
                                                                              • API String ID: 1770779139-0
                                                                              • Opcode ID: 88d8144f2f31a7ce7c9ea2d83b107e499918a2be15bc84e97619d0f120612439
                                                                              • Instruction ID: 0d08d647db1030bd971df84a08ef481e3cb2fec522b8f416a7975514cb2aaf1d
                                                                              • Opcode Fuzzy Hash: 88d8144f2f31a7ce7c9ea2d83b107e499918a2be15bc84e97619d0f120612439
                                                                              • Instruction Fuzzy Hash: E401FC223053103AD610BB795C86F3F22A8DBC5B65F50003FBA05AB282DE3D9D0063AD
                                                                              Function 0048C360 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048C370
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048C37D
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048C38A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                              • API String ID: 667068680-2254406584
                                                                              • Opcode ID: 4e3b24ba4e2ad681dbd9a18b6f22c27088cd2461bd9f99525b144e5dc6aa77c4
                                                                              • Instruction ID: 943ecad310307e0fc108c7ae822acdd7bbf833ca2338e28bb672ad4384977e7f
                                                                              • Opcode Fuzzy Hash: 4e3b24ba4e2ad681dbd9a18b6f22c27088cd2461bd9f99525b144e5dc6aa77c4
                                                                              • Instruction Fuzzy Hash: 77F0C29264171466D610316A1CC1A7F658CCB81B60F148837BE04A6282E9B88C0643B9
                                                                              Function 0045A9FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045AA05
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045AA15
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045AA25
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                              • API String ID: 190572456-212574377
                                                                              • Opcode ID: 8ce033781a8ebeddff6f210f59c30cce2107159bbf78c1cddf34480e866d2008
                                                                              • Instruction ID: d57c0fc8ffca2e3895d271b6191988a2064b879c5df64bfdf0a96536cb027f45
                                                                              • Opcode Fuzzy Hash: 8ce033781a8ebeddff6f210f59c30cce2107159bbf78c1cddf34480e866d2008
                                                                              • Instruction Fuzzy Hash: 26F0BBB0500306CEEB34DF726D487733695A364346F148177A805652FFDB7C0858CA1D
                                                                              Function 0044BB78 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E5FD), ref: 0044BB87
                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044BB98
                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044BBA8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                              • API String ID: 2238633743-1050967733
                                                                              • Opcode ID: 826270591faa91d333e365557f7957eb4608477112023562f10bf7429a104441
                                                                              • Instruction ID: d4e4756ef9205d43bd93b9f2fef0047ba5620f8f9e99d58699ff538cf8867d60
                                                                              • Opcode Fuzzy Hash: 826270591faa91d333e365557f7957eb4608477112023562f10bf7429a104441
                                                                              • Instruction Fuzzy Hash: A4F0FE702407C3CAEB11DBE59C85B5233A4D720709F10157BE013595F5D7BCA448CB4C
                                                                              Function 0042E734 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048CACE,QueryCancelAutoPlay,0048FB77), ref: 0042E74A
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E750
                                                                              • InterlockedExchange.KERNEL32(00491660,00000001), ref: 0042E761
                                                                              • ChangeWindowMessageFilter.USER32(0000C1C1,00000001), ref: 0042E772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                              • API String ID: 1365377179-2498399450
                                                                              • Opcode ID: 798f4d3b9e42d6978647b9e491d5591a8efc67b597b1aacdaccc600c80670fcf
                                                                              • Instruction ID: 71b351e1e5f00bce675c0894c61af028bda518588696eba08359233394634fc9
                                                                              • Opcode Fuzzy Hash: 798f4d3b9e42d6978647b9e491d5591a8efc67b597b1aacdaccc600c80670fcf
                                                                              • Instruction Fuzzy Hash: 88E0ECA1B41311EBEA217BB2AD8AFAA29949768796F980037F101651F2C6BD0C40C91C
                                                                              Function 00471A50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,0048FB6D), ref: 00471A56
                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00471A63
                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00471A73
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                              • API String ID: 667068680-222143506
                                                                              • Opcode ID: ebb4d520ae13cb97b16c5c29354c01da17355d9db3788449d9a67f370f92728d
                                                                              • Instruction ID: 2b16cd99005f431ceeee0c6555dc68e2f38eb24f43a8145ab69f237294a12076
                                                                              • Opcode Fuzzy Hash: ebb4d520ae13cb97b16c5c29354c01da17355d9db3788449d9a67f370f92728d
                                                                              • Instruction Fuzzy Hash: AEC012F0742705EDDB00E7F55DC2EB6224CC500B68324807BB04A791F2D67C0C005A1C
                                                                              Function 0041B604 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B6DD
                                                                              • 73A1A570.USER32(?), ref: 0041B6E9
                                                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041B7B4,?,?), ref: 0041B71E
                                                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B7B4,?,?), ref: 0041B72A
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B792,?,00000000,0041B7B4,?,?), ref: 0041B758
                                                                              • 73A18830.GDI32(00000000,00000000,00000000,0041B799,?,?,00000000,00000000,0041B792,?,00000000,0041B7B4,?,?), ref: 0041B78C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A26310A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3906783838-0
                                                                              • Opcode ID: f53375fea2c14aec1dd0b3c366ecbc4f7394b685d47006b1a6009aa808e22028
                                                                              • Instruction ID: 9263689457b9b60da4e063059f7192553b8052dfbed08377d8a6f8e3cdee306c
                                                                              • Opcode Fuzzy Hash: f53375fea2c14aec1dd0b3c366ecbc4f7394b685d47006b1a6009aa808e22028
                                                                              • Instruction Fuzzy Hash: A1512070A002099FCF11DFA9C891AEEBBF4EF49704F11446AF514A7790D7789D81CBA9
                                                                              Function 0041B8D4 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B9AF
                                                                              • 73A1A570.USER32(?), ref: 0041B9BB
                                                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041BA81,?,?), ref: 0041B9F5
                                                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA81,?,?), ref: 0041BA01
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA5F,?,00000000,0041BA81,?,?), ref: 0041BA25
                                                                              • 73A18830.GDI32(00000000,00000000,00000000,0041BA66,?,?,00000000,00000000,0041BA5F,?,00000000,0041BA81,?,?), ref: 0041BA59
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A26310A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3906783838-0
                                                                              • Opcode ID: acf7b2796d4f962d1590192a83af5495e17748890643173340c072385438d863
                                                                              • Instruction ID: 2f04e07915eadb46d9d3a1ac8f3261e0c8370589b402f14cf3ed0d868b4f2d80
                                                                              • Opcode Fuzzy Hash: acf7b2796d4f962d1590192a83af5495e17748890643173340c072385438d863
                                                                              • Instruction Fuzzy Hash: 3B512A75A006189FCB11DFA9C891AAEBBF9EF49700F118066F904EB351D738AD40CBA4
                                                                              Function 0041B4A0 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B516
                                                                              • 73A1A570.USER32(?,00000000,0041B5F0,?,?,?,?), ref: 0041B522
                                                                              • 73A24620.GDI32(?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0,?,?,?,?), ref: 0041B53E
                                                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0,?,?,?,?), ref: 0041B55B
                                                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0), ref: 0041B572
                                                                              • 73A1A480.USER32(?,?,0041B5CB,?,?), ref: 0041B5BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: E680$A24620A480A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3709697839-0
                                                                              • Opcode ID: 5db8d68a65205efb5222c7e75aeccd35a7f0c5ceba2ec80a25403ba1a7dc1cbb
                                                                              • Instruction ID: 15194d2eca39cd0cd3e706da9045a3d70fad82d14a0a055a4a4dd9c2f9652b7b
                                                                              • Opcode Fuzzy Hash: 5db8d68a65205efb5222c7e75aeccd35a7f0c5ceba2ec80a25403ba1a7dc1cbb
                                                                              • Instruction Fuzzy Hash: AC41B571A04258AFCB10DFA9C885A9FBBF5EF49704F1584AAF940EB351D3389D10CBA5
                                                                              Function 00457074 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,02113888,00000FFF,00000000,004571A0,?,?,00000000,00000000), ref: 004570DB
                                                                                • Part of subcall function 004569B4: CloseHandle.KERNEL32(?), ref: 004569EB
                                                                                • Part of subcall function 004569B4: WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456A15
                                                                                • Part of subcall function 004569B4: GetExitCodeProcess.KERNEL32(?), ref: 00456A26
                                                                                • Part of subcall function 004569B4: CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A6D
                                                                                • Part of subcall function 004569B4: Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A89
                                                                                • Part of subcall function 004569B4: TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456A07
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
                                                                              • String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
                                                                              • API String ID: 3965036325-83444288
                                                                              • Opcode ID: 6daf1da1e84df6570a4e7e72701cca9b80f255e0435cd49bed15a798444fa64e
                                                                              • Instruction ID: 985d50c3f9d90ea0a1834a165dc9ddf0c771a046af542e078957fd21308b1662
                                                                              • Opcode Fuzzy Hash: 6daf1da1e84df6570a4e7e72701cca9b80f255e0435cd49bed15a798444fa64e
                                                                              • Instruction Fuzzy Hash: 2A31A470708A04ABE710EB7AD842A5AB7E9EF44346F54847BBC04D7353DA3C9E09C65D
                                                                              Function 0045A3C0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetLastError.KERNEL32(00000057,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A42B
                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045A4F8,?,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A46A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                              • API String ID: 1452528299-1580325520
                                                                              • Opcode ID: 7be26965263f2104088d498dff14b54dbdb0b4d3a14f3140c27da49f3f9a45ff
                                                                              • Instruction ID: dfb1858b14f89fdca8190fc2c0647b683eaa5ab539ba30ab43b812f68ee1a19b
                                                                              • Opcode Fuzzy Hash: 7be26965263f2104088d498dff14b54dbdb0b4d3a14f3140c27da49f3f9a45ff
                                                                              • Instruction Fuzzy Hash: 0E11EB34204204AFD711DBD1C949A9E7A9CD746306F6082777D0456383D5BC5F1A952F
                                                                              Function 0041BD24 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BD6D
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BD77
                                                                              • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD81
                                                                              • 73A24620.GDI32(00000000,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDA8
                                                                              • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDB5
                                                                              • 73A1A480.USER32(00000000,00000000,0041BDFB,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDEE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A24620MetricsSystem$A480A570
                                                                              • String ID:
                                                                              • API String ID: 4042297458-0
                                                                              • Opcode ID: 3a519e38e7533d4cd4c1fd1caceb06c8e163cd4f2e65891d629d788219c09a9e
                                                                              • Instruction ID: ddc18b353f0c64b41945af083e4deb6b0f211661b4b6c1505d7e366f828bd8de
                                                                              • Opcode Fuzzy Hash: 3a519e38e7533d4cd4c1fd1caceb06c8e163cd4f2e65891d629d788219c09a9e
                                                                              • Instruction Fuzzy Hash: F3215974E04649AFEB04EFA9C842BEEB7B4EB48704F10802AF510BB681D7785941CF69
                                                                              Function 00476AC4 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00476AD2
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00466F4D), ref: 00476AF8
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00476B08
                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00476B29
                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00476B3D
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00476B59
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$Show
                                                                              • String ID:
                                                                              • API String ID: 3609083571-0
                                                                              • Opcode ID: 760f074fa72b40526fddec861e4e7f7314de86f1f646db28ab4d1345c81cc1c6
                                                                              • Instruction ID: 4a72d8aa8c56eced60dbf9c54b91bafb0241cd17110e70703b3e3484a5e45396
                                                                              • Opcode Fuzzy Hash: 760f074fa72b40526fddec861e4e7f7314de86f1f646db28ab4d1345c81cc1c6
                                                                              • Instruction Fuzzy Hash: DA0100756416106BD700D7A8CD41F6637DDAB1E320F0A4666B955DF3E2C629E8408B58
                                                                              Function 0041B208 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041A678: CreateBrushIndirect.GDI32 ref: 0041A6E3
                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B214
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B226
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B249
                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B254
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B26F
                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B27A
                                                                                • Part of subcall function 00419FF0: GetSysColor.USER32(?), ref: 00419FFA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                              • String ID:
                                                                              • API String ID: 3527656728-0
                                                                              • Opcode ID: a4395bd008d3f3994e0e5a4286e89670886e82a8083edb378fa98ad189851495
                                                                              • Instruction ID: 108304aa2ca1b7da7e62bbcd071f6155afd7513013abbc8791340d3ad5d25070
                                                                              • Opcode Fuzzy Hash: a4395bd008d3f3994e0e5a4286e89670886e82a8083edb378fa98ad189851495
                                                                              • Instruction Fuzzy Hash: A7F0BFB1151500ABCF00FFBAD9CAE5B27A89F443097088057B944DF19BC938DC518B39
                                                                              Function 0046FE98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 0046FEEE
                                                                              • 73A259E0.USER32(00000000,000000FC,0046FE4C,00000000,0047007E,?,00000000,004700A3), ref: 0046FF15
                                                                              • GetACP.KERNEL32(00000000,0047007E,?,00000000,004700A3), ref: 0046FF52
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046FF98
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A259ClassInfoMessageSend
                                                                              • String ID: COMBOBOX
                                                                              • API String ID: 3217714596-1136563877
                                                                              • Opcode ID: ed9dfa75f4c8d360731416eb999a4aa66e98f50d8d76bad7acd2ea423bac2f39
                                                                              • Instruction ID: 34999040898945efd7bf9774008312f26667484ef2a160594c613f8c803993ab
                                                                              • Opcode Fuzzy Hash: ed9dfa75f4c8d360731416eb999a4aa66e98f50d8d76bad7acd2ea423bac2f39
                                                                              • Instruction Fuzzy Hash: EF518030600245EFCB50DF69E885B99B7B5EB09714F1081B7E804EB3A2DB34AD45CB58
                                                                              Function 0048EE24 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                              • ShowWindow.USER32(?,00000005,00000000,0048F05C,?,?,00000000), ref: 0048EE5A
                                                                                • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                                • Part of subcall function 00407238: SetCurrentDirectoryA.KERNEL32(00000000,?,0048EE82,00000000,0048F028,?,?,00000005,00000000,0048F05C,?,?,00000000), ref: 00407243
                                                                                • Part of subcall function 0042D320: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3AE,?,?,00000000,?,?,0048EE8C,00000000,0048F028,?,?,00000005), ref: 0042D355
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                              • API String ID: 3312786188-1660910688
                                                                              • Opcode ID: 89aaab86eebdfb02b9e2b8e446069827cd063c739e1b0438e722919dc2f4d9f0
                                                                              • Instruction ID: e953af1becc893fd7b4a2d92d2dfc468d03227211ff677cbd897ed5c0636aa5d
                                                                              • Opcode Fuzzy Hash: 89aaab86eebdfb02b9e2b8e446069827cd063c739e1b0438e722919dc2f4d9f0
                                                                              • Instruction Fuzzy Hash: E6319334A00604AFD710FFB5CD5295E7BB5EB49304B918876F900AB3A2D77DAD05CB98
                                                                              Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                              • RtlEnterCriticalSection.KERNEL32(00491420,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                              • RtlLeaveCriticalSection.KERNEL32(00491420,00401A89,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID: *w
                                                                              • API String ID: 730355536-1711716165
                                                                              • Opcode ID: 79e9dac46c8aaeed53ee9c5f646d3f1e5cadfb67f957e71d22379573a7e76d2f
                                                                              • Instruction ID: b3d2bc59f151f41c0eabde12bfc62168f6f77712819aedb873599e1a68e1a200
                                                                              • Opcode Fuzzy Hash: 79e9dac46c8aaeed53ee9c5f646d3f1e5cadfb67f957e71d22379573a7e76d2f
                                                                              • Instruction Fuzzy Hash: 6501C0706442425EFB19AB6998027253ED4D79D788F51843BF440A7AF1C67C4880CB2D
                                                                              Function 00455ACC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455AFC
                                                                              • GetExitCodeProcess.KERNEL32(?,0048F733), ref: 00455B1D
                                                                              • CloseHandle.KERNEL32(?,00455B50,?,?,kcE,00000000,00000000), ref: 00455B43
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                              • API String ID: 2573145106-3235461205
                                                                              • Opcode ID: cbbb06d9bad31b439cba8717d06d469a5d4c1a803a701f517ddf0524c4dc77b5
                                                                              • Instruction ID: 48fa93de125c22366ce476b0a639e770b096c34d87a5e80965ab2036791bda1c
                                                                              • Opcode Fuzzy Hash: cbbb06d9bad31b439cba8717d06d469a5d4c1a803a701f517ddf0524c4dc77b5
                                                                              • Instruction Fuzzy Hash: 1001A230A00A09AFDB21EBA98C66B3A73A8EB49714F604577F910D73D2D638BD048659
                                                                              Function 00470C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00470C98
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00470D8F,00491F50,00000000), ref: 00470CAB
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00470CB1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                              • API String ID: 1782028327-3855017861
                                                                              • Opcode ID: ba85fcf1da409c7155cf3be5e84f4fe10c5145e9c7f4b47efe884d8763916793
                                                                              • Instruction ID: 3424602a847456f4725b68c3def3e962e447e3f4a91fcaf5290cb4c740a1689f
                                                                              • Opcode Fuzzy Hash: ba85fcf1da409c7155cf3be5e84f4fe10c5145e9c7f4b47efe884d8763916793
                                                                              • Instruction Fuzzy Hash: D6D09EA1203701ADEA1572B68D46E6F225C9944754B64862BB404E728ADA7CE804496D
                                                                              Function 00416BC4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BeginPaint.USER32(00000000,?), ref: 00416BEA
                                                                              • SaveDC.GDI32(?), ref: 00416C1B
                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CDD), ref: 00416C7C
                                                                              • RestoreDC.GDI32(?,?), ref: 00416CA3
                                                                              • EndPaint.USER32(00000000,?,00416CE4,00000000,00416CDD), ref: 00416CD7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                              • String ID:
                                                                              • API String ID: 3808407030-0
                                                                              • Opcode ID: 9dbee4afef3342a1118fe94af4db042876ba076589cd8fbe03d3dafbab9a1917
                                                                              • Instruction ID: d01cb87f5b59018fc56deeb4e87b7ab8bc0427f6b3bc4af5dc1a1103c08de3bf
                                                                              • Opcode Fuzzy Hash: 9dbee4afef3342a1118fe94af4db042876ba076589cd8fbe03d3dafbab9a1917
                                                                              • Instruction Fuzzy Hash: 92413F70A042049FDB14DBA9C585FAAB7F8FF48304F1640AAE8449B362D778DD41CF58
                                                                              Function 00414798 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 467955183208ce25b054c041a4296c22cdeaecd9d68ca8a84e60d52ec3adc7bc
                                                                              • Instruction ID: 0b27ab95fc397ea4887dead8241102332a9c138a594af593d7cc3aeb0b08d67b
                                                                              • Opcode Fuzzy Hash: 467955183208ce25b054c041a4296c22cdeaecd9d68ca8a84e60d52ec3adc7bc
                                                                              • Instruction Fuzzy Hash: 55310E746047449FC320EB69C584BABB7E8AF89714F04891EF9D5C7791C778EC808B19
                                                                              Function 00429764 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A0
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297CF
                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297EB
                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429816
                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429834
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: f51c000d5b75d04aa275696eebc01621a37157c7b265c612b2e1571bb09fb902
                                                                              • Instruction ID: 89df0b0ea6b704c8094771ed204f1775ba8948c405ba470affa89d1326c9a020
                                                                              • Opcode Fuzzy Hash: f51c000d5b75d04aa275696eebc01621a37157c7b265c612b2e1571bb09fb902
                                                                              • Instruction Fuzzy Hash: AE21AF70750714BAE710AB67CC82F9BB6ECDB41708F90043EB902AB2D2DB78AD41861C
                                                                              Function 0041BB50 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BB62
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BB6C
                                                                              • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBAA
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD15,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBF1
                                                                              • DeleteObject.GDI32(00000000), ref: 0041BC32
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$A26310A570DeleteObject
                                                                              • String ID:
                                                                              • API String ID: 4277397052-0
                                                                              • Opcode ID: 81c0469bd937656807314b2f160fa72611f686b9a9e4561c5b4ad3645fba98bf
                                                                              • Instruction ID: db3e645bd233964b4bfb6ef65323c35588abf36d0d90ac3393220eac8c93e687
                                                                              • Opcode Fuzzy Hash: 81c0469bd937656807314b2f160fa72611f686b9a9e4561c5b4ad3645fba98bf
                                                                              • Instruction Fuzzy Hash: C4318074E00209EFDB00DFA5C941AAEF7F5EB48704F5085AAF510AB381D7389E80DB98
                                                                              Function 0046CE8C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045A3C0: SetLastError.KERNEL32(00000057,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A42B
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0046CF60,?,?,00000001,00492070), ref: 0046CF19
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0046CF60,?,?,00000001,00492070), ref: 0046CF2F
                                                                              Strings
                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046CF23
                                                                              • Setting permissions on registry key: %s\%s, xrefs: 0046CEDE
                                                                              • Failed to set permissions on registry key (%d)., xrefs: 0046CF40
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                              • API String ID: 1452528299-4018462623
                                                                              • Opcode ID: 1558ad47347fe0cb0cb2613aba19e83ad6842849032d35ab6e38b0d9c5d2390b
                                                                              • Instruction ID: ef7c85a59db57ad542929e1cce8e4a404c5f136f3084124e425ae329c13d753f
                                                                              • Opcode Fuzzy Hash: 1558ad47347fe0cb0cb2613aba19e83ad6842849032d35ab6e38b0d9c5d2390b
                                                                              • Instruction Fuzzy Hash: BA21C870A046449FCB04DBAEC8826BEBBE5EF49314F50417BE444E73D2E77C5905876A
                                                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: a25dcb7dcef0a7fc2663accc9c98bc47e8be32d0fe9c1fcc61f4f26f659e45fd
                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                              • Opcode Fuzzy Hash: a25dcb7dcef0a7fc2663accc9c98bc47e8be32d0fe9c1fcc61f4f26f659e45fd
                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                              Function 00414378 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A18830.GDI32(00000000,00000000,00000000), ref: 004143B1
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 004143B9
                                                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143CD
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143D3
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A122A18830$A480
                                                                              • String ID:
                                                                              • API String ID: 3325508737-0
                                                                              • Opcode ID: ac3ba5ec9f47890fe6046dfa189f75fd0bee42a67d05a44b9527fc943465d49f
                                                                              • Instruction ID: 3a0d44f5d7faf9fe2bb52ae42b51fe77fe62cd6758d91a408017df0657574073
                                                                              • Opcode Fuzzy Hash: ac3ba5ec9f47890fe6046dfa189f75fd0bee42a67d05a44b9527fc943465d49f
                                                                              • Instruction Fuzzy Hash: 9401DF3531C3806AD200B63E8C85A9F6BEC8FCA314F05596EF498DB383CA7ACC018765
                                                                              Function 00472F2C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,004746A6,?,00000000,00000000,00000001,00000000,004731C9,?,00000000), ref: 0047318D
                                                                              Strings
                                                                              • .G, xrefs: 00473026
                                                                              • Failed to parse "reg" constant, xrefs: 00473194
                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00473001
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$.G
                                                                              • API String ID: 3535843008-3259947705
                                                                              • Opcode ID: a8ec807fdfd9d288c69130123b0e62607720fcde4ee3a5e8d6a4d6bf2e1d5566
                                                                              • Instruction ID: d3de52e573be9792d774070a052a544339806b0d6ab8d46a77d771b2b0eca22f
                                                                              • Opcode Fuzzy Hash: a8ec807fdfd9d288c69130123b0e62607720fcde4ee3a5e8d6a4d6bf2e1d5566
                                                                              • Instruction Fuzzy Hash: C6816170E00148AFCB10EFA5C485ADEBBF9EF48315F50816AE814A7395DB38AF05DB58
                                                                              Function 00406F34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F93
                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040700D
                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407065
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                              • String ID: Z
                                                                              • API String ID: 3604996873-1505515367
                                                                              • Opcode ID: 4fbae2768792f62ec27454655fe243a80966ce4e8b03315e75fa75894fd07684
                                                                              • Instruction ID: 735be7eb0b4da2dda06d529e75480a139d3e19f565dfc92d6ef8ab2fa0ce30cd
                                                                              • Opcode Fuzzy Hash: 4fbae2768792f62ec27454655fe243a80966ce4e8b03315e75fa75894fd07684
                                                                              • Instruction Fuzzy Hash: 44518270E04208EFDB15EF55C841A9EBBB9EF49304F1081BAE510BB3D1D778AE458B5A
                                                                              Function 0042E89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,00000000,0042E9EF,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8C6
                                                                                • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                              • SelectObject.GDI32(?,00000000), ref: 0042E8E9
                                                                              • 73A1A480.USER32(00000000,?,0042E9D4,00000000,0042E9CD,?,00000000,00000000,0042E9EF,?,?,?,?,00000000,00000000,00000000), ref: 0042E9C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570CreateFontIndirectObjectSelect
                                                                              • String ID: ...\
                                                                              • API String ID: 2998766281-983595016
                                                                              • Opcode ID: 6bac56e0a1e1d030e3442e16f80a86cf89f7188d6604d290fad7fbfa57b2ff83
                                                                              • Instruction ID: 1aab5199582a6c180f2ff9654c10ae8312a8ca65cc5aa023ecc5a249eb890d51
                                                                              • Opcode Fuzzy Hash: 6bac56e0a1e1d030e3442e16f80a86cf89f7188d6604d290fad7fbfa57b2ff83
                                                                              • Instruction Fuzzy Hash: 9B3161B0B00128AFDF11EB9AD841BAEB7F8EF49304F90447BF400A7291C7785E85CA59
                                                                              Function 00451EB8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FA7
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FB7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle
                                                                              • String ID: .tmp$_iu
                                                                              • API String ID: 3498533004-10593223
                                                                              • Opcode ID: c34424a2c96d0d09866b7ff145e3dc2aae655ba7c79e62e503256b2f29b8af3d
                                                                              • Instruction ID: 3ec03c526205475de97859747d214e84d91a0a24a25cc78bc42f9ff7b87d07c8
                                                                              • Opcode Fuzzy Hash: c34424a2c96d0d09866b7ff145e3dc2aae655ba7c79e62e503256b2f29b8af3d
                                                                              • Instruction Fuzzy Hash: CC31C571A00249ABCB11EB95C982B9EFBB5AF44319F60452AF900B73D2D7785F05C798
                                                                              Function 0048A0F4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegCloseKey.ADVAPI32(?,0048A1F2,?,?,00000001,00000000,00000000,0048A20D), ref: 0048A1DB
                                                                              Strings
                                                                              • Inno Setup CodeFile: , xrefs: 0048A19E
                                                                              • %s\%s_is1, xrefs: 0048A16C
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048A14E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1837835967
                                                                              • Opcode ID: b624771721beb2404a95d1e83b620549d5a6b172729843f25a0228502058730a
                                                                              • Instruction ID: a5d615d1b3f8cef788befc11580f5f62f4b91129ed11068eb2387ca442f9be7f
                                                                              • Opcode Fuzzy Hash: b624771721beb2404a95d1e83b620549d5a6b172729843f25a0228502058730a
                                                                              • Instruction Fuzzy Hash: BF31B770A042585FDB11EF99CC41A9EBBF9FB48304F90487BE404E7391D7789E118B59
                                                                              Function 004163A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 00416417
                                                                              • UnregisterClassA.USER32(?,00400000), ref: 00416443
                                                                              • RegisterClassA.USER32(?), ref: 00416466
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoRegisterUnregister
                                                                              • String ID: @
                                                                              • API String ID: 3749476976-2766056989
                                                                              • Opcode ID: c6f754ddbc1f1592c038d5fd8d8a6edf7e8c30b70e6925c2268abc12fe8df858
                                                                              • Instruction ID: 8d5fd529f2c4ecc0e90252aabd6d594848dc8255f615fdd73e4063fc75abf067
                                                                              • Opcode Fuzzy Hash: c6f754ddbc1f1592c038d5fd8d8a6edf7e8c30b70e6925c2268abc12fe8df858
                                                                              • Instruction Fuzzy Hash: 04318E706042448BD710EF68C981BDB77E9AB84308F04447EF945DB392DB39D984CB6A
                                                                              Function 0044F4B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 0044F514
                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F556
                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F587
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ExecuteShell
                                                                              • String ID: open
                                                                              • API String ID: 2179883421-2758837156
                                                                              • Opcode ID: 360b20596ba14dfcacaf102da6d8fd63a38cba34a27391c9a436a38375e38bd8
                                                                              • Instruction ID: f6c121e396d337d32eb6a789f445b56fd050c9e01d6657e7198035f37428b3f8
                                                                              • Opcode Fuzzy Hash: 360b20596ba14dfcacaf102da6d8fd63a38cba34a27391c9a436a38375e38bd8
                                                                              • Instruction Fuzzy Hash: E7218171E40204BFEB10DFA9CC42B9EB7B8AB44714F20857BB401E7292D6789E058A48
                                                                              Function 0048F20C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,0048FAC9,00000000,0048F302,?,?,00000000,00491628), ref: 0048F27C
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0048FAC9,00000000,0048F302,?,?,00000000,00491628), ref: 0048F2A5
                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0048F2BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$Move
                                                                              • String ID: isRS-%.3u.tmp
                                                                              • API String ID: 3839737484-3657609586
                                                                              • Opcode ID: 979824f62d6b447bd564da45f68fcd6230ebe23141ac59a22f77e4fe4f4f358e
                                                                              • Instruction ID: 61be1f871612b34a02b642c1353b08c71706081479864b0027ec20696c0f7de2
                                                                              • Opcode Fuzzy Hash: 979824f62d6b447bd564da45f68fcd6230ebe23141ac59a22f77e4fe4f4f358e
                                                                              • Instruction Fuzzy Hash: A4216171E00209AFCB00FFA9C8819AFB7B8AF48314F10497BB814B72D1D6389E458B59
                                                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000
                                                                              • API String ID: 1220098344-2970929446
                                                                              • Opcode ID: b73e79376dc86986e2de3d6786bf52b89e6212eacab09463d725525c724406b4
                                                                              • Instruction ID: 4964c014a9b225fdafc930403c361c4a0e2b82a5ec25387492832e0e5010fe64
                                                                              • Opcode Fuzzy Hash: b73e79376dc86986e2de3d6786bf52b89e6212eacab09463d725525c724406b4
                                                                              • Instruction Fuzzy Hash: 1F21F564A442838ADB11A775AC817163BC09BE9348F048177E700F77F2C67D8C85C7AE
                                                                              Function 00454888 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004548DC
                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454909
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                              • API String ID: 1312246647-2435364021
                                                                              • Opcode ID: d3dc71c346485ab3d152acd6a1b73c3d1d2b8f9119836130f7a704a7f5d0f09f
                                                                              • Instruction ID: a40c1eef011a9d8f1081391c5a779594b5f2855bec7c7bc614a8ea4fb583a791
                                                                              • Opcode Fuzzy Hash: d3dc71c346485ab3d152acd6a1b73c3d1d2b8f9119836130f7a704a7f5d0f09f
                                                                              • Instruction Fuzzy Hash: 4911A274B00604AFDB11EFBADD52A4FBBADEB89309B108476B900D7652D6389D44CA18
                                                                              Function 0047151C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                              • GetFocus.USER32 ref: 00471587
                                                                              • GetKeyState.USER32(0000007A), ref: 00471599
                                                                              • WaitMessage.USER32(?,00000000,004715C0,?,00000000,004715E7,?,?,00000001,00000000,?,?,?,?,0047882F,00000000), ref: 004715A3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                              • String ID: Wnd=$%x
                                                                              • API String ID: 1381870634-2927251529
                                                                              • Opcode ID: 828e3ca45ad3c698ff01279d0f88c9e1178eb4b3adba419bc918aabddf7aac7b
                                                                              • Instruction ID: b807fb1c1c56bb812caeb9f7e09dc45766823d636da6ac98dce3b88b01009d44
                                                                              • Opcode Fuzzy Hash: 828e3ca45ad3c698ff01279d0f88c9e1178eb4b3adba419bc918aabddf7aac7b
                                                                              • Instruction Fuzzy Hash: 7611E730A00245AFCB04EFA9CC41A9E7BF8EB49714B5184B7F409E7660D7386A00CA69
                                                                              Function 004684DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 004684E4
                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004684F3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$LocalSystem
                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                              • API String ID: 1748579591-1013271723
                                                                              • Opcode ID: fb15fb04b026a85f908c017f1bb248dc801d3b433c3434c4ad647fe1e632695a
                                                                              • Instruction ID: 9035fb827cd0b5eb94a962f5192a85958c5040159214465956545233ec111c17
                                                                              • Opcode Fuzzy Hash: fb15fb04b026a85f908c017f1bb248dc801d3b433c3434c4ad647fe1e632695a
                                                                              • Instruction Fuzzy Hash: D511F8A540C3919AD340DF2AC44432BBBE4AB89704F048A6FF9D8D6381E779C948DB67
                                                                              Function 0045244E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045245B
                                                                                • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452480
                                                                                • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                              • String ID: DeleteFile$MoveFile
                                                                              • API String ID: 3024442154-139070271
                                                                              • Opcode ID: f9d76b4cab54d59dcaad246f9a984c9d2cb7b2c81c6560c8d50bad456c564c36
                                                                              • Instruction ID: 7c022ce7fffbf854af2cd73beb00292919fc81d8123a6ea320111c964ace046d
                                                                              • Opcode Fuzzy Hash: f9d76b4cab54d59dcaad246f9a984c9d2cb7b2c81c6560c8d50bad456c564c36
                                                                              • Instruction Fuzzy Hash: CAF0A9706042196BE701FBA5D95276EA3ECEB4530AFA0443BB800B76C3EA7C8D09492D
                                                                              Function 0047BAC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047BB05
                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047BB28
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 0047BAD2
                                                                              • CSDVersion, xrefs: 0047BAFC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 3677997916-1910633163
                                                                              • Opcode ID: 4ac9a4f0d9e3a3f04f375305fe99a307306476d8f6c0634da4c4ca10b6663b63
                                                                              • Instruction ID: f9d6470f56a4eb7c7521d5953e5a97fa47e7d60c692ec71961a26f8fc4825788
                                                                              • Opcode Fuzzy Hash: 4ac9a4f0d9e3a3f04f375305fe99a307306476d8f6c0634da4c4ca10b6663b63
                                                                              • Instruction Fuzzy Hash: 95F03C75E4020DAADF10DAD18D45BEFB3BCEB04704F108167EA14E7684E778AA04CB99
                                                                              Function 0042D7C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00452156,00000000,004521F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004524C5,00000000), ref: 0042D7DE
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                              • API String ID: 1646373207-4063490227
                                                                              • Opcode ID: 7c674904f671aebd09d2ab9d8afdbdccb739e222ae58e833903533c7e00c6a52
                                                                              • Instruction ID: 66c4d429b2bb8bea53b3dd5d96524e1f8f85b807068defc51c0adcd71f910684
                                                                              • Opcode Fuzzy Hash: 7c674904f671aebd09d2ab9d8afdbdccb739e222ae58e833903533c7e00c6a52
                                                                              • Instruction Fuzzy Hash: ABE04F61B40B1012D71075BA6C83B5B15898B88B24F94C43B39A4E72C3DEBCD9482A6E
                                                                              Function 0044ECB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048FB45), ref: 0044ECF3
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044ECF9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: NotifyWinEvent$user32.dll
                                                                              • API String ID: 1646373207-597752486
                                                                              • Opcode ID: 854c6bbe020e6da071b151b7a37b0013c1b1003e38029c843ed5522258a2efe1
                                                                              • Instruction ID: ebbf3dccc32e5ba6b53a4526e90e44936dd8c09a18a524ea58820243c91103ba
                                                                              • Opcode Fuzzy Hash: 854c6bbe020e6da071b151b7a37b0013c1b1003e38029c843ed5522258a2efe1
                                                                              • Instruction Fuzzy Hash: D2E0ECE0E417879DFB00BBB79946B092990B714359B04447BB000A65A6C77D44409E1F
                                                                              Function 0048F910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048FB91,00000001,00000000,0048FBB5), ref: 0048F91A
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0048F920
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                              • API String ID: 1646373207-834958232
                                                                              • Opcode ID: 7703ed9c6d59be89bab22b75cd787685a67b5bcab8d2965a3b4c640d54842158
                                                                              • Instruction ID: 9748046246e421f12df1761c1623ccfc58d2b16d05e44609c018975195fd515b
                                                                              • Opcode Fuzzy Hash: 7703ed9c6d59be89bab22b75cd787685a67b5bcab8d2965a3b4c640d54842158
                                                                              • Instruction Fuzzy Hash: 75B002E164170174991036F20D47B1F044988547757550877B424F61C7DD7C99085A6D
                                                                              Function 0045F420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044A9DC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044ECE9,0048FB45), ref: 0044AA03
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AA1B
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AA2D
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AA3F
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AA51
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA63
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA75
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AA87
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AA99
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AAAB
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AABD
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AACF
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AAE1
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AAF3
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AB05
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AB17
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AB29
                                                                                • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AB3B
                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0048FB63), ref: 0045F42F
                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045F435
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2238633743-2683653824
                                                                              • Opcode ID: 70d50522bc00947dc78e9d8c65e993543da5849955c29b1ee9488e277c97b5ab
                                                                              • Instruction ID: 489f3c9072138d942c7d8f7de9f129a04709bb7653bedc0112192cbae7471543
                                                                              • Opcode Fuzzy Hash: 70d50522bc00947dc78e9d8c65e993543da5849955c29b1ee9488e277c97b5ab
                                                                              • Instruction Fuzzy Hash: 54B092E0680740A48E00B7BB284BA1B140485A1B0E710847B34007A0D7CF7C501C6E6F
                                                                              Function 00413C90 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00413CDE
                                                                              • GetDesktopWindow.USER32 ref: 00413D96
                                                                                • Part of subcall function 00418E58: 6F59C6F0.COMCTL32(?,00000000,00413F5B,00000000,0041406B,?,?,00491628), ref: 00418E74
                                                                                • Part of subcall function 00418E58: ShowCursor.USER32(00000001,?,00000000,00413F5B,00000000,0041406B,?,?,00491628), ref: 00418E91
                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413A8B,00000000,00413A9E), ref: 00413DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CursorDesktopWindow$Show
                                                                              • String ID:
                                                                              • API String ID: 2074268717-0
                                                                              • Opcode ID: a8e403287ed854eef21bf0b8e16bf44119f7a13ff9f3b19356e0a7d56e8c063c
                                                                              • Instruction ID: fc7d074f9e2afbbedeeaf2f70ab14b1a39a2a39f4cd9742eeb46a1c6c8001010
                                                                              • Opcode Fuzzy Hash: a8e403287ed854eef21bf0b8e16bf44119f7a13ff9f3b19356e0a7d56e8c063c
                                                                              • Instruction Fuzzy Hash: 0A414C79600112AFC700EF29E984B9637E1ABA5325F16847BE416CB375DA38ED81CF5C
                                                                              Function 004089E4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A05
                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A74
                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B0F
                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B4E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString$FileMessageModuleName
                                                                              • String ID:
                                                                              • API String ID: 704749118-0
                                                                              • Opcode ID: ebd030581ac431f97c2338603ef737fe227fa2e060e8ef1bfaf9cc22063cac2e
                                                                              • Instruction ID: d45b7975f82c9d70b934f6c50788ad2e06e2971270f8d73bb404f5d5711a2fe4
                                                                              • Opcode Fuzzy Hash: ebd030581ac431f97c2338603ef737fe227fa2e060e8ef1bfaf9cc22063cac2e
                                                                              • Instruction Fuzzy Hash: 533161716083819ED330EB65C945BDB77E89B86704F00483FB6C8EB2D1EB799904876B
                                                                              Function 0044DE2C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044DE75
                                                                                • Part of subcall function 0044C5E8: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C61A
                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044DEF9
                                                                                • Part of subcall function 0042BB4C: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB60
                                                                              • IsRectEmpty.USER32(?), ref: 0044DEBB
                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044DEDE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                              • String ID:
                                                                              • API String ID: 855768636-0
                                                                              • Opcode ID: 443ab47adb1ec5c9c35ae6fd72f99f5c857124858bc59851fde32f0e366e849c
                                                                              • Instruction ID: a13c456d72208a623a7b883bc2c1d4b88f1433389d4f27aa7ab4984ad5729aa9
                                                                              • Opcode Fuzzy Hash: 443ab47adb1ec5c9c35ae6fd72f99f5c857124858bc59851fde32f0e366e849c
                                                                              • Instruction Fuzzy Hash: 1B115C72B4030027E610BB7E9C86B6B66C99B88709F15493FB505EB387DE79DC0583A9
                                                                              Function 0048C8AC Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 0048C910
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 0048C92B
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 0048C945
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 0048C960
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 177026234-0
                                                                              • Opcode ID: 344f90fd973b61dec1719f74986ca825845ed497906d6150224b7383c721799f
                                                                              • Instruction ID: 42f8aa55f024e3429e2eaa94a5be14035eb449308597c6f44df06c8aab2f85cb
                                                                              • Opcode Fuzzy Hash: 344f90fd973b61dec1719f74986ca825845ed497906d6150224b7383c721799f
                                                                              • Instruction Fuzzy Hash: A9217CB67042019BC700EE69CD85E5BB7EEEBD4314F14CA2AF944C724AD634E90487A6
                                                                              Function 004171B0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 004171F8
                                                                              • SetCursor.USER32(00000000), ref: 0041723B
                                                                              • GetLastActivePopup.USER32(?), ref: 00417265
                                                                              • GetForegroundWindow.USER32(?), ref: 0041726C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                              • String ID:
                                                                              • API String ID: 1959210111-0
                                                                              • Opcode ID: 49b72ea5b80ad026c74ee01f3b8aa1d70c4e113c6919eb178b0b945e67937c83
                                                                              • Instruction ID: 474a02dae0bc1cc16c74f463c4dfa897162101ab82a57061081b6ea4e8c8a524
                                                                              • Opcode Fuzzy Hash: 49b72ea5b80ad026c74ee01f3b8aa1d70c4e113c6919eb178b0b945e67937c83
                                                                              • Instruction Fuzzy Hash: 7C21C1707442018BC710AB69D844ADB33F1AB28724B1549AFF8159B3A2DB3DCC82CB89
                                                                              Function 0048C610 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048C625
                                                                              • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048C639
                                                                              • MulDiv.KERNEL32(F79033E8,00000008,?), ref: 0048C64D
                                                                              • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048C66B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c45f815ace7d04306764da949dfdc0a4b8441de88e84914829dbb49b4c4a4f4c
                                                                              • Instruction ID: b4ebb5979fa4b2e9a5afe8ea56fb1b403c0725f10a041755f011a7e7f9c329d4
                                                                              • Opcode Fuzzy Hash: c45f815ace7d04306764da949dfdc0a4b8441de88e84914829dbb49b4c4a4f4c
                                                                              • Instruction Fuzzy Hash: 55112472604204ABCB40EF99D8C4D9B77ECEF4D364B145566F918DB245D634DD408BA8
                                                                              Function 0041F418 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,0041F408,?), ref: 0041F439
                                                                              • UnregisterClassA.USER32(0041F408,00400000), ref: 0041F462
                                                                              • RegisterClassA.USER32(00490598), ref: 0041F46C
                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F4A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                              • String ID:
                                                                              • API String ID: 4025006896-0
                                                                              • Opcode ID: 3680ae8bfdd5854ad182cc3ed0ee75b30f6016c42ee0be15608523d0c0c3bd16
                                                                              • Instruction ID: e3796a94589284a41c738c5819506084737bfa234d933e9faf155b010baadd2a
                                                                              • Opcode Fuzzy Hash: 3680ae8bfdd5854ad182cc3ed0ee75b30f6016c42ee0be15608523d0c0c3bd16
                                                                              • Instruction Fuzzy Hash: 230192712401046FCB10EBA8DC81E9B379CA729314B10423BB905E76E2C73AAC558BAC
                                                                              Function 00453364 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                              • CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                              • String ID:
                                                                              • API String ID: 4071923889-0
                                                                              • Opcode ID: 464959586153dfe20dd67b28afba754944294a3e2643d9052662c03b5fcfb21b
                                                                              • Instruction ID: 425b4fcc71ae9d838f4840175c65cc31c3a1e87f24a2de7ee017be576f2ac103
                                                                              • Opcode Fuzzy Hash: 464959586153dfe20dd67b28afba754944294a3e2643d9052662c03b5fcfb21b
                                                                              • Instruction Fuzzy Hash: 7A01F970A00208BEEB209FA68C06F6F7A9CDB047A1F600567FD04D72D2C9B99E008668
                                                                              Function 0040D198 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D1AF
                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?,?,004753C4,0000000A,REGDLL_EXE), ref: 0040D1C9
                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?,?,004753C4), ref: 0040D1E3
                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?), ref: 0040D1ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: ee5e1dc9f5e593ef15a6339409acf10a5561d1cb7b41ebb800b33b29d5258195
                                                                              • Instruction ID: deda1d1a570b9924e372cdce74b1d0c8dfbf1797afb094277eb0e3b4c0f61081
                                                                              • Opcode Fuzzy Hash: ee5e1dc9f5e593ef15a6339409acf10a5561d1cb7b41ebb800b33b29d5258195
                                                                              • Instruction Fuzzy Hash: 21F06DB36046046F8704EE9EA881D6B77DCDE88364320013FF908EB282DA39DD118B78
                                                                              Function 0046A17C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0046A1CD
                                                                              Strings
                                                                              • Unsetting NTFS compression on file: %s, xrefs: 0046A1B3
                                                                              • Setting NTFS compression on file: %s, xrefs: 0046A19B
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 0046A1DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                              • API String ID: 1452528299-3038984924
                                                                              • Opcode ID: 690111c2e8c7d45acf222b1962293f7c5f198cc35ba20f40355524d2a7863f5b
                                                                              • Instruction ID: 47f7f27018303e4db4ecddab4a834518905ab40d3cfe8eb9630ddd8b6c7f7bb7
                                                                              • Opcode Fuzzy Hash: 690111c2e8c7d45acf222b1962293f7c5f198cc35ba20f40355524d2a7863f5b
                                                                              • Instruction Fuzzy Hash: C401A730D0468856CF04D7AD50512DDBBE49F4A314F4482EFA455E7342EB790A088B9B
                                                                              Function 00454130 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                              • RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000002,00000000,?,?,00000000,00458D43,?,?,?,?,?,00000000,00458D56), ref: 0045416C
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,00000002,00000000,?,?,00000000,00458D43,?,?,?,?,?,00000000), ref: 00454175
                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00454182
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454196
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                              • String ID:
                                                                              • API String ID: 4283692357-0
                                                                              • Opcode ID: 402524234562bea118e31d4fc97ad2983232b877425af2278bf1a0f8092202f3
                                                                              • Instruction ID: f199344b5a67d1956bf0936e37952906655f1ab5386cc234ce10b19bfc91f13a
                                                                              • Opcode Fuzzy Hash: 402524234562bea118e31d4fc97ad2983232b877425af2278bf1a0f8092202f3
                                                                              • Instruction Fuzzy Hash: 2DF054B574574036EA10B6B69C4BF1B16CC9FA4749F14483BB604EF2C3D97CD844962D
                                                                              Function 00469884 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 004698D5
                                                                              Strings
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004698E6
                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 004698BB
                                                                              • Setting NTFS compression on directory: %s, xrefs: 004698A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                              • API String ID: 1452528299-1392080489
                                                                              • Opcode ID: c78ea9f0286afc05c8d5c89fa65704261491de887a6efcc99c2b213f602f5caa
                                                                              • Instruction ID: ef9727caea0d79a2d912489ea4178e414084ad99865ae872d661dd84c5ec7156
                                                                              • Opcode Fuzzy Hash: c78ea9f0286afc05c8d5c89fa65704261491de887a6efcc99c2b213f602f5caa
                                                                              • Instruction Fuzzy Hash: 55016770E18248A6CF05EBAD50512EDBBEC9F49314F4481EFA455E7342EAB909088B9B
                                                                              Function 00475600 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CountSleepTick
                                                                              • String ID:
                                                                              • API String ID: 2227064392-0
                                                                              • Opcode ID: 995d842a883d5398a2c5c0b428fcdd0dddcf53d93727648de4d3d0850eda6837
                                                                              • Instruction ID: 08fd6cd2ad76e3b23da8ebc1779cefba9a89fe9837f7ff6aeda7ac42dfd4a830
                                                                              • Opcode Fuzzy Hash: 995d842a883d5398a2c5c0b428fcdd0dddcf53d93727648de4d3d0850eda6837
                                                                              • Instruction Fuzzy Hash: FBE09BB2309D4045EA2535BE18C75BF4588CB85364B14553FF18DDE342C49C4D05996E
                                                                              Function 00471300 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638,?,?,?,?,?,0048FC34), ref: 00471309
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638), ref: 0047130F
                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638), ref: 00471331
                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000), ref: 00471342
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                              • String ID:
                                                                              • API String ID: 215268677-0
                                                                              • Opcode ID: 04ae2938cf7b607e71cbbb546688db9384a55e4af42e336c3e4b299ee880555f
                                                                              • Instruction ID: c2edc28ac066cfd51aa3baa8ebbe92a5e72e3efc0c265ece7e5fe74e96fba188
                                                                              • Opcode Fuzzy Hash: 04ae2938cf7b607e71cbbb546688db9384a55e4af42e336c3e4b299ee880555f
                                                                              • Instruction Fuzzy Hash: 19F030616443016BE600EAB5CC82EAB77DCEB44354F04893A7E98D72D1D678DC08AB66
                                                                              Function 004241D8 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastActivePopup.USER32(?), ref: 004241E4
                                                                              • IsWindowVisible.USER32(?), ref: 004241F5
                                                                              • IsWindowEnabled.USER32(?), ref: 004241FF
                                                                              • SetForegroundWindow.USER32(?), ref: 00424209
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                              • String ID:
                                                                              • API String ID: 2280970139-0
                                                                              • Opcode ID: 1ab57abcace7edaf0b20be0c4c89584f0552d67733da22874bc818ce831da09e
                                                                              • Instruction ID: 6e927f23018ccbf172bbe8116e39b175aa94dac4ee353161fd53b24705e9aa1e
                                                                              • Opcode Fuzzy Hash: 1ab57abcace7edaf0b20be0c4c89584f0552d67733da22874bc818ce831da09e
                                                                              • Instruction Fuzzy Hash: 63E08C6171253593BA21A63B2981E9B11CCCD563C434610A7BC21F7283DB2CCC8081BC
                                                                              Function 00406274 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalHandle.KERNEL32 ref: 00406277
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040627E
                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406283
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406289
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                              • String ID:
                                                                              • API String ID: 2167344118-0
                                                                              • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                              • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                              • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                              • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                              Function 0046535C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00465549
                                                                              • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046554F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$EnableItemSystem
                                                                              • String ID: CurPageChanged
                                                                              • API String ID: 3692539535-2490978513
                                                                              • Opcode ID: 14582f6af01cb1c448c3483150a52922259a7a16d11e6f002746ca479cfd6392
                                                                              • Instruction ID: 6dfccd792dee10a8ddc6b1ce5ca51da78fdb044aba1dfacf712d53146bfd97c3
                                                                              • Opcode Fuzzy Hash: 14582f6af01cb1c448c3483150a52922259a7a16d11e6f002746ca479cfd6392
                                                                              • Instruction Fuzzy Hash: 8CA1E834A04504EFC711EB69DA85AEE73F5EF48704F2540F6E8049B362EB38AE41DB49
                                                                              Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(00491420,00000000,004021FC), ref: 004020CB
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00491420,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00491420,00401A89,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                              • String ID: *w
                                                                              • API String ID: 296031713-1711716165
                                                                              • Opcode ID: fb8272d384ee0c1325341ba53eb7ce7558827c9784b5d5b0354b471c9befd532
                                                                              • Instruction ID: 1534ec2a265a5a6c638e58d1893499d87399dfacb040dd5820afbec705462bdb
                                                                              • Opcode Fuzzy Hash: fb8272d384ee0c1325341ba53eb7ce7558827c9784b5d5b0354b471c9befd532
                                                                              • Instruction Fuzzy Hash: 3C41C4B2E003029FDB10CF69DD8521A77A4F7AD364B15417BD854A77F1D3789842CB48
                                                                              Function 00466E3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 00466F28
                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 00466F3C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                              • API String ID: 0-1974262853
                                                                              • Opcode ID: 7bc73c37f7c0a0932c9a7e1681f77de0aa2b39437c0be3336e4ce5822834e31d
                                                                              • Instruction ID: 4b413c9e45c01387e2ec053e49b0ee0e61424ab654f593ad6fa4ba39452d6d3c
                                                                              • Opcode Fuzzy Hash: 7bc73c37f7c0a0932c9a7e1681f77de0aa2b39437c0be3336e4ce5822834e31d
                                                                              • Instruction Fuzzy Hash: 1731B134A04204AFD700EB69D991AAE77F9EB49704F5640FBF80497362E739AE00CA19
                                                                              Function 00453678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0045370C
                                                                              • GetLastError.KERNEL32(0000003C,00000000,00453755,?,?,?), ref: 0045371D
                                                                                • Part of subcall function 00453364: WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                                • Part of subcall function 00453364: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                                • Part of subcall function 00453364: GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                                • Part of subcall function 00453364: CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                                                              • String ID: <
                                                                              • API String ID: 35504260-4251816714
                                                                              • Opcode ID: 3a75e04fd456e85ed3d9637f33109561f7e5f59bb796c52a8a07068b53681de5
                                                                              • Instruction ID: cd2d9638c9b1948c9357882d32e5db715a7d71646bedac3e5f476f86f67f0d1b
                                                                              • Opcode Fuzzy Hash: 3a75e04fd456e85ed3d9637f33109561f7e5f59bb796c52a8a07068b53681de5
                                                                              • Instruction Fuzzy Hash: C82183F0A00209AFDB10DF65D88269E7BE8EF08396F50403AF844E7381D7789E59CB58
                                                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(00491420,00000000,)), ref: 004025C7
                                                                              • RtlLeaveCriticalSection.KERNEL32(00491420,0040263D), ref: 00402630
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00491420,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00491420,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00491420,00401A89,00000000,00401A82,?,?,0040222E,00491460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                              • String ID: )
                                                                              • API String ID: 2227675388-1084416617
                                                                              • Opcode ID: 208b45cba3b2a3df8931d2293a4abaf6f3730912dc1831b9574c04e8757b61d4
                                                                              • Instruction ID: 68dbd34ac6f77fd2c03a595fe7d756cb4eba71a2cbf0cff9f63ed6cc7c141560
                                                                              • Opcode Fuzzy Hash: 208b45cba3b2a3df8931d2293a4abaf6f3730912dc1831b9574c04e8757b61d4
                                                                              • Instruction Fuzzy Hash: 941131307042006FEB20AB799F1A62A6AD4C799358B60087FF404F32E2D9BD8D42826C
                                                                              Function 0048DEAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0048DEE3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Window
                                                                              • String ID: /INITPROCWND=$%x $@
                                                                              • API String ID: 2353593579-4169826103
                                                                              • Opcode ID: 1f3c84d41e0764525ca55c727aee5074879e0e77746073647ffebb5be6ffe800
                                                                              • Instruction ID: 855e8ac7723f73ed5e6a380a74a5cf30f24dd7eb9a20ce23bb719821d2503dc4
                                                                              • Opcode Fuzzy Hash: 1f3c84d41e0764525ca55c727aee5074879e0e77746073647ffebb5be6ffe800
                                                                              • Instruction Fuzzy Hash: CD119031A082498FDB01EBA4D841BAEBBE8EB59314F10487BE605E72D1D67CA9058B58
                                                                              Function 00446A84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • SysFreeString.OLEAUT32(?), ref: 00446B36
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                              • API String ID: 3952431833-1023667238
                                                                              • Opcode ID: f9c513988fd6f76b7f60a244084181380ddd93906d77345ff9c34a9d882a5d74
                                                                              • Instruction ID: ee4fd1f69f73787f675b99b91a4415e7eeabcf4b79195ce3cbb71b2c928bd55a
                                                                              • Opcode Fuzzy Hash: f9c513988fd6f76b7f60a244084181380ddd93906d77345ff9c34a9d882a5d74
                                                                              • Instruction Fuzzy Hash: 751196716002449FEB10DFA5D852A6FBABCEB4A704F52407AF900E7681D679AD00CB6A
                                                                              Function 0048D700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048D7C8,?,0048D7BC,00000000,0048D7A3), ref: 0048D76E
                                                                              • CloseHandle.KERNEL32(0048D808,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048D7C8,?,0048D7BC,00000000), ref: 0048D785
                                                                                • Part of subcall function 0048D658: GetLastError.KERNEL32(00000000,0048D6F0,?,?,?,?), ref: 0048D67C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                              • String ID: D
                                                                              • API String ID: 3798668922-2746444292
                                                                              • Opcode ID: f636622721b3c3afb54b067b6e3eba4984f215f7ffd14f65c607071d1f3a3e50
                                                                              • Instruction ID: 584ea8263f4d59fbbd435a1cfbc9f2a88759ffbc8e95f17843dbe1b3b5da52c6
                                                                              • Opcode Fuzzy Hash: f636622721b3c3afb54b067b6e3eba4984f215f7ffd14f65c607071d1f3a3e50
                                                                              • Instruction Fuzzy Hash: B90161B1A45248AFDB00EBA1DC82E9FBBACDF08714F51443AF904E72D1E6785E048728
                                                                              Function 0042DB7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DB90
                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBD0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Value$EnumQuery
                                                                              • String ID: Inno Setup: No Icons
                                                                              • API String ID: 1576479698-2016326496
                                                                              • Opcode ID: 3eb9ed1d1690eaeb0deb987e737e6f0e3addad57e6e0785e76e80cbf99cc5b2a
                                                                              • Instruction ID: 8ff6cfe083fc45bea0f17a2353d839f102e9d041656b78535328a3702109bc5f
                                                                              • Opcode Fuzzy Hash: 3eb9ed1d1690eaeb0deb987e737e6f0e3addad57e6e0785e76e80cbf99cc5b2a
                                                                              • Instruction Fuzzy Hash: D601A731F493206DF73045156D62F6B5E989B41BA4FA6043BF980EA2C0D698FC05D36E
                                                                              Function 00454C6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00454C81
                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00454D13
                                                                              Strings
                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00454CAD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                                                              • API String ID: 3850602802-809544686
                                                                              • Opcode ID: 19db5683d168dea6e4d83152c44b51dcfe45a57d8587a1acb01dc6fa8e606b97
                                                                              • Instruction ID: a1771b126df0c2f2b5e468513a0a06d8436e31110275e3209c4cc1e313f10ddd
                                                                              • Opcode Fuzzy Hash: 19db5683d168dea6e4d83152c44b51dcfe45a57d8587a1acb01dc6fa8e606b97
                                                                              • Instruction Fuzzy Hash: 3711E5716443506BE700EB299C81B6F7AD89B91309F05443FFA909F3D2C3B95808CB6A
                                                                              Function 0046EEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 0046EF22
                                                                                • Part of subcall function 0046ED74: GetLastError.KERNEL32(00000000,0046EE60,?,?,?,00492054,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046EEE7,00000001), ref: 0046ED95
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: File$DeleteErrorLastMove
                                                                              • String ID: DeleteFile$MoveFile
                                                                              • API String ID: 3195829115-139070271
                                                                              • Opcode ID: a2d290e2d7920f97972b3fbb8e5a53964d8c7c7eddb8ccc1216510306661fe99
                                                                              • Instruction ID: f6697500c5fb3b921b0b40a01fbb3165c23038cdcd264235537eeaaa29907531
                                                                              • Opcode Fuzzy Hash: a2d290e2d7920f97972b3fbb8e5a53964d8c7c7eddb8ccc1216510306661fe99
                                                                              • Instruction Fuzzy Hash: 23F0626820025067DF14BB6BC48269737C98F1139D710457BF8546B387FA7E9C0696AF
                                                                              Function 0048E939 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00453978: GetCurrentProcess.KERNEL32(00000028), ref: 00453987
                                                                                • Part of subcall function 00453978: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0045398D
                                                                              • SetForegroundWindow.USER32(?), ref: 0048E96B
                                                                              Strings
                                                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0048E996
                                                                              • Restarting Windows., xrefs: 0048E948
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3179053593-4147564754
                                                                              • Opcode ID: 687f6341f5e655f6baef5f59fc286e1d77e19ecc66112b6f847488c30c4ce88e
                                                                              • Instruction ID: d7f48b500572d221f08d0433beb6f1e3e73c57b452a214f76913a84d9222e07c
                                                                              • Opcode Fuzzy Hash: 687f6341f5e655f6baef5f59fc286e1d77e19ecc66112b6f847488c30c4ce88e
                                                                              • Instruction Fuzzy Hash: F70126B46041416BE701F766D542BAE2BD89F85309F9088BBF840A73D3CABD9C49831E
                                                                              Function 00453A08 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2944729758.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2944710800.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944796563.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2944818406.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_1iGYsIphmN.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 2acbd4212af28fca318a14b4e20ab3c6b053ed90dd3a254689500132c8af8c6e
                                                                              • Instruction ID: f8ebe0f7ab3c318420ec1bfa1f8413b387aeea4ade5d1637cc85a07d52a99d11
                                                                              • Opcode Fuzzy Hash: 2acbd4212af28fca318a14b4e20ab3c6b053ed90dd3a254689500132c8af8c6e
                                                                              • Instruction Fuzzy Hash: F6F0B472F00514679F30AD9E9D8196F628CDA943E7720012BFD84EB303E539DF49C6A9

                                                                              Execution Graph

                                                                              Execution Coverage:8.6%
                                                                              Dynamic/Decrypted Code Coverage:83.7%
                                                                              Signature Coverage:2.9%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:39
                                                                              execution_graph 19390 2c16fc1 19391 2c3634c CloseHandle 19390->19391 19392 40d683 19393 40d687 19392->19393 19394 40273f 19393->19394 19406 2be3d0f 19393->19406 19395 4021f6 19394->19395 19398 40d4c5 GetLocalTime 19394->19398 19400 40d12b 19394->19400 19396 40db38 19395->19396 19397 40d574 GetLastError 19395->19397 19396->19396 19402 401f27 19398->19402 19403 401f3c 19402->19403 19412 401a1d 19403->19412 19405 401f45 19405->19394 19407 2be3d1d 19406->19407 19408 2be3d18 19406->19408 19517 2be3d32 19407->19517 19525 2beb8e1 19408->19525 19411 2be3d2b 19411->19394 19413 401a2c 19412->19413 19418 401a4f CreateFileA 19413->19418 19417 401a3e 19417->19405 19419 401a35 19418->19419 19425 401a7d 19418->19425 19426 401b4b LoadLibraryA 19419->19426 19420 401a98 DeviceIoControl 19420->19425 19422 401b3a CloseHandle 19422->19419 19423 401b0e GetLastError 19423->19422 19423->19425 19425->19420 19425->19422 19425->19423 19435 402ca6 19425->19435 19438 402c98 19425->19438 19427 401c21 19426->19427 19428 401b6e GetProcAddress 19426->19428 19427->19417 19429 401c18 FreeLibrary 19428->19429 19433 401b85 19428->19433 19429->19427 19430 401b95 GetAdaptersInfo 19430->19433 19431 402ca6 7 API calls 19431->19433 19432 401c15 19432->19429 19433->19430 19433->19431 19433->19432 19434 402c98 12 API calls 19433->19434 19434->19433 19441 4030a1 19435->19441 19471 403001 19438->19471 19442 4030ad 19441->19442 19451 402caf 19441->19451 19443 4030b7 19442->19443 19444 4030cd 19442->19444 19446 4030f9 HeapFree 19443->19446 19447 4030c3 19443->19447 19445 4030f8 19444->19445 19449 4030e7 19444->19449 19445->19446 19446->19451 19452 40443e 19447->19452 19458 404ecf 19449->19458 19451->19425 19453 40447c 19452->19453 19457 404732 19452->19457 19454 404678 VirtualFree 19453->19454 19453->19457 19455 4046dc 19454->19455 19456 4046eb VirtualFree HeapFree 19455->19456 19455->19457 19456->19457 19457->19451 19459 404f12 19458->19459 19460 404efc 19458->19460 19459->19451 19460->19459 19462 404db6 19460->19462 19465 404dc3 19462->19465 19463 404e73 19463->19459 19464 404de4 VirtualFree 19464->19465 19465->19463 19465->19464 19467 404d60 VirtualFree 19465->19467 19468 404d7d 19467->19468 19469 404dad 19468->19469 19470 404d8d HeapFree 19468->19470 19469->19465 19470->19465 19472 402ca3 19471->19472 19474 403008 19471->19474 19472->19425 19474->19472 19475 40302d 19474->19475 19476 40303c 19475->19476 19479 403051 19475->19479 19483 40304a 19476->19483 19484 404767 19476->19484 19478 403090 HeapAlloc 19480 40309f 19478->19480 19479->19478 19479->19483 19490 404f14 19479->19490 19480->19474 19481 40304f 19481->19474 19483->19478 19483->19480 19483->19481 19486 404799 19484->19486 19485 404847 19485->19483 19486->19485 19489 404838 19486->19489 19497 404a70 19486->19497 19489->19485 19504 404b21 19489->19504 19495 404f22 19490->19495 19491 40500e VirtualAlloc 19496 404fdf 19491->19496 19492 4050e3 19508 404c1c 19492->19508 19495->19491 19495->19492 19495->19496 19496->19483 19498 404ab3 HeapAlloc 19497->19498 19499 404a83 HeapReAlloc 19497->19499 19501 404b03 19498->19501 19502 404ad9 VirtualAlloc 19498->19502 19500 404aa2 19499->19500 19499->19501 19500->19498 19501->19489 19502->19501 19503 404af3 HeapFree 19502->19503 19503->19501 19505 404b33 VirtualAlloc 19504->19505 19507 404b7c 19505->19507 19507->19485 19509 404c30 HeapAlloc 19508->19509 19510 404c29 19508->19510 19511 404c4d VirtualAlloc 19509->19511 19512 404c85 19509->19512 19510->19511 19513 404d42 19511->19513 19514 404c6d VirtualAlloc 19511->19514 19512->19496 19513->19512 19515 404d4a HeapFree 19513->19515 19514->19512 19516 404d34 VirtualFree 19514->19516 19515->19512 19516->19513 19518 2be3d3e __close 19517->19518 19522 2be3d8c ___DllMainCRTStartup 19518->19522 19524 2be3de9 __close 19518->19524 19529 2be3b9d 19518->19529 19520 2be3dc6 19521 2be3b9d __CRT_INIT@12 138 API calls 19520->19521 19520->19524 19521->19524 19522->19520 19523 2be3b9d __CRT_INIT@12 138 API calls 19522->19523 19522->19524 19523->19520 19524->19411 19526 2beb904 19525->19526 19527 2beb911 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19525->19527 19526->19527 19528 2beb908 19526->19528 19527->19528 19528->19407 19530 2be3ba9 __close 19529->19530 19531 2be3c2b 19530->19531 19532 2be3bb1 19530->19532 19534 2be3c2f 19531->19534 19535 2be3c94 19531->19535 19577 2be81e7 GetProcessHeap 19532->19577 19539 2be3c50 19534->19539 19570 2be3bba __close __CRT_INIT@12 19534->19570 19678 2be845c 19534->19678 19537 2be3c99 19535->19537 19538 2be3cf7 19535->19538 19536 2be3bb6 19536->19570 19578 2be5d94 19536->19578 19709 2be91cb 19537->19709 19538->19570 19737 2be5c24 19538->19737 19681 2be8333 RtlDecodePointer 19539->19681 19544 2be3ca4 19544->19570 19712 2be8a6d 19544->19712 19546 2be3bc6 __RTC_Initialize 19554 2be3bd6 GetCommandLineA 19546->19554 19546->19570 19549 2be3c66 __CRT_INIT@12 19705 2be3c7f 19549->19705 19550 2beb57f __ioterm 60 API calls 19553 2be3c61 19550->19553 19556 2be5e0a __mtterm 62 API calls 19553->19556 19599 2beb97d GetEnvironmentStringsW 19554->19599 19556->19549 19558 2be3ccd 19560 2be3ceb 19558->19560 19561 2be3cd3 19558->19561 19731 2be2f74 19560->19731 19721 2be5ce1 19561->19721 19565 2be3bf0 19567 2be3bf4 19565->19567 19631 2beb5d1 19565->19631 19566 2be3cdb GetCurrentThreadId 19566->19570 19664 2be5e0a 19567->19664 19570->19522 19572 2be3c14 19572->19570 19673 2beb57f 19572->19673 19577->19536 19745 2be8503 RtlEncodePointer 19578->19745 19580 2be5d99 19750 2be8a1f 19580->19750 19583 2be5da2 19584 2be5e0a __mtterm 62 API calls 19583->19584 19586 2be5da7 19584->19586 19586->19546 19588 2be5dbf 19589 2be8a6d __calloc_crt 59 API calls 19588->19589 19590 2be5dcc 19589->19590 19591 2be5e01 19590->19591 19592 2be91ea __freeptd TlsSetValue 19590->19592 19593 2be5e0a __mtterm 62 API calls 19591->19593 19594 2be5de0 19592->19594 19595 2be5e06 19593->19595 19594->19591 19596 2be5de6 19594->19596 19595->19546 19597 2be5ce1 __initptd 59 API calls 19596->19597 19598 2be5dee GetCurrentThreadId 19597->19598 19598->19546 19600 2be3be6 19599->19600 19601 2beb990 WideCharToMultiByte 19599->19601 19612 2beb2cb 19600->19612 19603 2beb9fa FreeEnvironmentStringsW 19601->19603 19604 2beb9c3 19601->19604 19603->19600 19761 2be8ab5 19604->19761 19607 2beb9d0 WideCharToMultiByte 19608 2beb9ef FreeEnvironmentStringsW 19607->19608 19609 2beb9e6 19607->19609 19608->19600 19610 2be2f74 _free 59 API calls 19609->19610 19611 2beb9ec 19610->19611 19611->19608 19613 2beb2d7 __close 19612->19613 19614 2be88ee __lock 59 API calls 19613->19614 19615 2beb2de 19614->19615 19616 2be8a6d __calloc_crt 59 API calls 19615->19616 19618 2beb2ef 19616->19618 19617 2beb35a GetStartupInfoW 19625 2beb36f 19617->19625 19628 2beb49e 19617->19628 19618->19617 19619 2beb2fa __close @_EH4_CallFilterFunc@8 19618->19619 19619->19565 19620 2beb566 20014 2beb576 19620->20014 19622 2be8a6d __calloc_crt 59 API calls 19622->19625 19623 2beb4eb GetStdHandle 19623->19628 19624 2beb4fe GetFileType 19624->19628 19625->19622 19626 2beb3bd 19625->19626 19625->19628 19627 2beb3f1 GetFileType 19626->19627 19626->19628 19629 2be920c __ioinit InitializeCriticalSectionAndSpinCount 19626->19629 19627->19626 19628->19620 19628->19623 19628->19624 19630 2be920c __ioinit InitializeCriticalSectionAndSpinCount 19628->19630 19629->19626 19630->19628 19632 2beb5df 19631->19632 19633 2beb5e4 GetModuleFileNameA 19631->19633 20024 2be528a 19632->20024 19634 2beb611 19633->19634 20018 2beb684 19634->20018 19638 2be8ab5 __malloc_crt 59 API calls 19639 2beb64a 19638->19639 19640 2beb684 _parse_cmdline 59 API calls 19639->19640 19641 2be3c00 19639->19641 19640->19641 19641->19572 19642 2beb800 19641->19642 19643 2beb809 19642->19643 19645 2beb80e _strlen 19642->19645 19644 2be528a ___initmbctable 71 API calls 19643->19644 19644->19645 19646 2be8a6d __calloc_crt 59 API calls 19645->19646 19649 2be3c09 19645->19649 19654 2beb844 _strlen 19646->19654 19647 2beb896 19648 2be2f74 _free 59 API calls 19647->19648 19648->19649 19649->19572 19658 2be846b 19649->19658 19650 2be8a6d __calloc_crt 59 API calls 19650->19654 19651 2beb8bd 19652 2be2f74 _free 59 API calls 19651->19652 19652->19649 19654->19647 19654->19649 19654->19650 19654->19651 19655 2beb8d4 19654->19655 20188 2be6cbc 19654->20188 19656 2be4f05 __invoke_watson 8 API calls 19655->19656 19657 2beb8e0 19656->19657 19660 2be8477 __IsNonwritableInCurrentImage 19658->19660 20197 2bed2df 19660->20197 19661 2be8495 __initterm_e 19663 2be84b4 __cinit __IsNonwritableInCurrentImage 19661->19663 20200 2be33a4 19661->20200 19663->19572 19665 2be5e14 19664->19665 19667 2be5e1a 19664->19667 20266 2be91ac 19665->20266 19668 2be8938 RtlDeleteCriticalSection 19667->19668 19669 2be8954 19667->19669 19670 2be2f74 _free 59 API calls 19668->19670 19671 2be8973 19669->19671 19672 2be8960 RtlDeleteCriticalSection 19669->19672 19670->19667 19671->19570 19672->19669 19675 2beb586 19673->19675 19674 2beb5ce 19674->19567 19675->19674 19676 2be2f74 _free 59 API calls 19675->19676 19677 2beb59f RtlDeleteCriticalSection 19675->19677 19676->19675 19677->19675 19679 2be85a5 _doexit 59 API calls 19678->19679 19680 2be8467 19679->19680 19680->19539 19682 2be834d 19681->19682 19683 2be835f 19681->19683 19682->19683 19685 2be2f74 _free 59 API calls 19682->19685 19684 2be2f74 _free 59 API calls 19683->19684 19687 2be836c 19684->19687 19685->19682 19686 2be2f74 _free 59 API calls 19690 2be839c 19686->19690 19688 2be8390 19687->19688 19689 2be2f74 _free 59 API calls 19687->19689 19688->19686 19689->19687 19691 2be2f74 _free 59 API calls 19690->19691 19692 2be83ad 19691->19692 19693 2be2f74 _free 59 API calls 19692->19693 19694 2be83b8 19693->19694 19695 2be83dd RtlEncodePointer 19694->19695 19700 2be2f74 _free 59 API calls 19694->19700 19696 2be83f8 19695->19696 19697 2be83f2 19695->19697 19699 2be840e 19696->19699 19701 2be2f74 _free 59 API calls 19696->19701 19698 2be2f74 _free 59 API calls 19697->19698 19698->19696 19702 2be3c55 19699->19702 19704 2be2f74 _free 59 API calls 19699->19704 19703 2be83dc 19700->19703 19701->19699 19702->19549 19702->19550 19703->19695 19704->19702 19706 2be3c83 19705->19706 19707 2be3c91 19705->19707 19706->19707 19708 2be5e0a __mtterm 62 API calls 19706->19708 19707->19570 19708->19707 19710 2be91de 19709->19710 19711 2be91e2 TlsGetValue 19709->19711 19710->19544 19711->19544 19715 2be8a74 19712->19715 19714 2be3cb5 19714->19570 19718 2be91ea 19714->19718 19715->19714 19717 2be8a92 19715->19717 20269 2bf04b8 19715->20269 19717->19714 19717->19715 20277 2be9505 Sleep 19717->20277 19719 2be9204 TlsSetValue 19718->19719 19720 2be9200 19718->19720 19719->19558 19720->19558 19722 2be5ced __close 19721->19722 19723 2be88ee __lock 59 API calls 19722->19723 19724 2be5d2a 19723->19724 20278 2be5d82 19724->20278 19727 2be88ee __lock 59 API calls 19728 2be5d4b ___addlocaleref 19727->19728 20281 2be5d8b 19728->20281 19730 2be5d76 __close 19730->19566 19732 2be2f7d HeapFree 19731->19732 19733 2be2fa6 _free 19731->19733 19732->19733 19734 2be2f92 19732->19734 19733->19570 19735 2be5e5b __read_nolock 57 API calls 19734->19735 19736 2be2f98 GetLastError 19735->19736 19736->19733 19738 2be5c57 19737->19738 19739 2be5c31 19737->19739 19738->19570 19740 2be5c3f 19739->19740 19741 2be91cb __freeptd TlsGetValue 19739->19741 19742 2be91ea __freeptd TlsSetValue 19740->19742 19741->19740 19743 2be5c4f 19742->19743 20286 2be5aef 19743->20286 19746 2be8514 __init_pointers __initp_misc_winsig 19745->19746 19757 2be3a07 RtlEncodePointer 19746->19757 19748 2be852c __init_pointers 19749 2be927a 34 API calls 19748->19749 19749->19580 19751 2be8a2b 19750->19751 19752 2be5d9e 19751->19752 19758 2be920c 19751->19758 19752->19583 19754 2be918e 19752->19754 19755 2be5db4 19754->19755 19756 2be91a5 TlsAlloc 19754->19756 19755->19583 19755->19588 19757->19748 19759 2be921c 19758->19759 19760 2be9229 InitializeCriticalSectionAndSpinCount 19758->19760 19759->19751 19760->19751 19764 2be8ac3 19761->19764 19763 2be8af5 19763->19603 19763->19607 19764->19763 19766 2be2fac 19764->19766 19783 2be9505 Sleep 19764->19783 19767 2be3027 19766->19767 19776 2be2fb8 19766->19776 19768 2be8204 __calloc_impl RtlDecodePointer 19767->19768 19769 2be302d 19768->19769 19771 2be5e5b __read_nolock 58 API calls 19769->19771 19773 2be301f 19771->19773 19772 2be2feb RtlAllocateHeap 19772->19773 19772->19776 19773->19764 19775 2be2fc3 19775->19776 19784 2be86d4 19775->19784 19793 2be8731 19775->19793 19828 2be831d 19775->19828 19776->19772 19776->19775 19777 2be3013 19776->19777 19781 2be3011 19776->19781 19831 2be8204 RtlDecodePointer 19776->19831 19833 2be5e5b 19777->19833 19782 2be5e5b __read_nolock 58 API calls 19781->19782 19782->19773 19783->19764 19836 2bf017e 19784->19836 19786 2be86db 19787 2bf017e __FF_MSGBANNER 59 API calls 19786->19787 19791 2be86e8 19786->19791 19787->19791 19788 2be8731 __NMSG_WRITE 59 API calls 19789 2be8700 19788->19789 19792 2be8731 __NMSG_WRITE 59 API calls 19789->19792 19790 2be870a 19790->19775 19791->19788 19791->19790 19792->19790 19794 2be874f __NMSG_WRITE 19793->19794 19795 2bf017e __FF_MSGBANNER 55 API calls 19794->19795 19827 2be8876 19794->19827 19797 2be8762 19795->19797 19799 2be887b GetStdHandle 19797->19799 19801 2bf017e __FF_MSGBANNER 55 API calls 19797->19801 19798 2be88df 19798->19775 19800 2be8889 _strlen 19799->19800 19799->19827 19805 2be88c2 WriteFile 19800->19805 19800->19827 19802 2be8773 19801->19802 19802->19799 19803 2be8785 19802->19803 19803->19827 19852 2bef53d 19803->19852 19805->19827 19807 2be87b2 GetModuleFileNameW 19809 2be87d2 19807->19809 19814 2be87e2 __NMSG_WRITE 19807->19814 19808 2be88e3 19911 2be4f05 IsProcessorFeaturePresent 19808->19911 19811 2bef53d __NMSG_WRITE 55 API calls 19809->19811 19811->19814 19814->19808 19815 2be8828 19814->19815 19861 2bef5b2 19814->19861 19815->19808 19870 2bef4d1 19815->19870 19822 2bef4d1 __NMSG_WRITE 55 API calls 19823 2be885f 19822->19823 19823->19808 19904 2be454b 19827->19904 19997 2be82e9 GetModuleHandleExW 19828->19997 19832 2be8217 19831->19832 19832->19776 20000 2be5c72 GetLastError 19833->20000 19835 2be5e60 19835->19781 19837 2bf0188 19836->19837 19838 2be5e5b __read_nolock 59 API calls 19837->19838 19840 2bf0192 19837->19840 19839 2bf01ae 19838->19839 19843 2be4ef5 19839->19843 19840->19786 19846 2be4eca RtlDecodePointer 19843->19846 19847 2be4edd 19846->19847 19848 2be4f05 __invoke_watson 8 API calls 19847->19848 19849 2be4ef4 19848->19849 19850 2be4eca __read_nolock 8 API calls 19849->19850 19851 2be4f01 19850->19851 19851->19786 19853 2bef548 19852->19853 19855 2bef556 19852->19855 19853->19855 19859 2bef56f 19853->19859 19854 2be5e5b __read_nolock 59 API calls 19856 2bef560 19854->19856 19855->19854 19857 2be4ef5 __read_nolock 9 API calls 19856->19857 19858 2be87a5 19857->19858 19858->19807 19858->19808 19859->19858 19860 2be5e5b __read_nolock 59 API calls 19859->19860 19860->19856 19865 2bef5c0 19861->19865 19862 2bef5c4 19863 2be5e5b __read_nolock 59 API calls 19862->19863 19864 2bef5c9 19862->19864 19869 2bef5f4 19863->19869 19864->19815 19865->19862 19865->19864 19866 2bef603 19865->19866 19866->19864 19868 2be5e5b __read_nolock 59 API calls 19866->19868 19867 2be4ef5 __read_nolock 9 API calls 19867->19864 19868->19869 19869->19867 19871 2bef4eb 19870->19871 19873 2bef4dd 19870->19873 19872 2be5e5b __read_nolock 59 API calls 19871->19872 19874 2bef4f5 19872->19874 19873->19871 19877 2bef517 19873->19877 19875 2be4ef5 __read_nolock 9 API calls 19874->19875 19876 2be8848 19875->19876 19876->19808 19876->19822 19877->19876 19878 2be5e5b __read_nolock 59 API calls 19877->19878 19878->19874 19905 2be4555 IsProcessorFeaturePresent 19904->19905 19906 2be4553 19904->19906 19908 2be958f 19905->19908 19906->19798 19946 2be953e IsDebuggerPresent 19908->19946 19912 2be4f10 19911->19912 19954 2be4d98 19912->19954 19947 2be9553 __call_reportfault 19946->19947 19952 2be9528 SetUnhandledExceptionFilter UnhandledExceptionFilter 19947->19952 19949 2be955b __call_reportfault 19953 2be9513 GetCurrentProcess TerminateProcess 19949->19953 19951 2be9578 19951->19798 19952->19949 19953->19951 19955 2be4db2 setSBCS __call_reportfault 19954->19955 19956 2be4dd2 IsDebuggerPresent 19955->19956 19962 2be9528 SetUnhandledExceptionFilter UnhandledExceptionFilter 19956->19962 19958 2be454b __87except 6 API calls 19959 2be4e96 __call_reportfault 19959->19958 19962->19959 19998 2be8314 ExitProcess 19997->19998 19999 2be8302 GetProcAddress 19997->19999 19999->19998 20001 2be91cb __freeptd TlsGetValue 20000->20001 20002 2be5c87 20001->20002 20003 2be5cd5 SetLastError 20002->20003 20004 2be8a6d __calloc_crt 56 API calls 20002->20004 20003->19835 20005 2be5c9a 20004->20005 20005->20003 20006 2be91ea __freeptd TlsSetValue 20005->20006 20007 2be5cae 20006->20007 20008 2be5ccc 20007->20008 20009 2be5cb4 20007->20009 20011 2be2f74 _free 56 API calls 20008->20011 20010 2be5ce1 __initptd 56 API calls 20009->20010 20013 2be5cbc GetCurrentThreadId 20010->20013 20012 2be5cd2 20011->20012 20012->20003 20013->20003 20017 2be8a58 RtlLeaveCriticalSection 20014->20017 20016 2beb57d 20016->19619 20017->20016 20020 2beb6a6 20018->20020 20023 2beb70a 20020->20023 20028 2bf15d6 20020->20028 20021 2beb627 20021->19638 20021->19641 20022 2bf15d6 _parse_cmdline 59 API calls 20022->20023 20023->20021 20023->20022 20025 2be529a 20024->20025 20026 2be5293 20024->20026 20025->19633 20084 2be55e7 20026->20084 20031 2bf157c 20028->20031 20034 2be227b 20031->20034 20035 2be228c 20034->20035 20041 2be22d9 20034->20041 20042 2be5c5a 20035->20042 20037 2be2292 20038 2be22b9 20037->20038 20047 2be51bf 20037->20047 20038->20041 20062 2be5541 20038->20062 20041->20020 20043 2be5c72 __getptd_noexit 59 API calls 20042->20043 20044 2be5c60 20043->20044 20045 2be5c6d 20044->20045 20046 2be8440 __amsg_exit 59 API calls 20044->20046 20045->20037 20046->20045 20048 2be51cb __close 20047->20048 20049 2be5c5a FindHandler 59 API calls 20048->20049 20050 2be51d4 20049->20050 20063 2be554d __close 20062->20063 20064 2be5c5a FindHandler 59 API calls 20063->20064 20085 2be55f3 __close 20084->20085 20086 2be5c5a FindHandler 59 API calls 20085->20086 20087 2be55fb 20086->20087 20088 2be5541 _LocaleUpdate::_LocaleUpdate 59 API calls 20087->20088 20089 2be5605 20088->20089 20109 2be52e2 20089->20109 20092 2be8ab5 __malloc_crt 59 API calls 20093 2be5627 20092->20093 20094 2be5754 __close 20093->20094 20116 2be578f 20093->20116 20094->20025 20110 2be227b _LocaleUpdate::_LocaleUpdate 59 API calls 20109->20110 20111 2be52f2 20110->20111 20112 2be5313 20111->20112 20113 2be5301 GetOEMCP 20111->20113 20114 2be532a 20112->20114 20115 2be5318 GetACP 20112->20115 20113->20114 20114->20092 20114->20094 20115->20114 20189 2be6cd5 20188->20189 20190 2be6cc7 20188->20190 20191 2be5e5b __read_nolock 59 API calls 20189->20191 20190->20189 20195 2be6ceb 20190->20195 20192 2be6cdc 20191->20192 20193 2be4ef5 __read_nolock 9 API calls 20192->20193 20194 2be6ce6 20193->20194 20194->19654 20195->20194 20196 2be5e5b __read_nolock 59 API calls 20195->20196 20196->20192 20198 2bed2e2 RtlEncodePointer 20197->20198 20198->20198 20199 2bed2fc 20198->20199 20199->19661 20267 2be91bf 20266->20267 20268 2be91c3 TlsFree 20266->20268 20267->19667 20268->19667 20270 2bf04c3 20269->20270 20276 2bf04de 20269->20276 20271 2bf04cf 20270->20271 20270->20276 20272 2be5e5b __read_nolock 58 API calls 20271->20272 20274 2bf04d4 20272->20274 20273 2bf04ee RtlAllocateHeap 20273->20274 20273->20276 20274->19715 20275 2be8204 __calloc_impl RtlDecodePointer 20275->20276 20276->20273 20276->20274 20276->20275 20277->19717 20284 2be8a58 RtlLeaveCriticalSection 20278->20284 20280 2be5d44 20280->19727 20285 2be8a58 RtlLeaveCriticalSection 20281->20285 20283 2be5d92 20283->19730 20284->20280 20285->20283 20287 2be5afb __close 20286->20287 20288 2be5b14 20287->20288 20289 2be5c03 __close 20287->20289 20290 2be2f74 _free 59 API calls 20287->20290 20291 2be5b23 20288->20291 20292 2be2f74 _free 59 API calls 20288->20292 20289->19738 20290->20288 20293 2be5b32 20291->20293 20294 2be2f74 _free 59 API calls 20291->20294 20292->20291 20295 2be5b41 20293->20295 20296 2be2f74 _free 59 API calls 20293->20296 20294->20293 20297 2be5b50 20295->20297 20298 2be2f74 _free 59 API calls 20295->20298 20296->20295 20299 2be5b5f 20297->20299 20300 2be2f74 _free 59 API calls 20297->20300 20298->20297 20301 2be5b6e 20299->20301 20302 2be2f74 _free 59 API calls 20299->20302 20300->20299 20303 2be5b80 20301->20303 20304 2be2f74 _free 59 API calls 20301->20304 20302->20301 20305 2be88ee __lock 59 API calls 20303->20305 20304->20303 20307 2be5b88 20305->20307 20309 2be2f74 _free 59 API calls 20307->20309 20311 2be5bab 20307->20311 20309->20311 20310 2be88ee __lock 59 API calls 20316 2be5bbf ___removelocaleref 20310->20316 20318 2be5c0f 20311->20318 20312 2be5bf0 20351 2be5c1b 20312->20351 20315 2be2f74 _free 59 API calls 20315->20289 20316->20312 20321 2be4fc5 20316->20321 20354 2be8a58 RtlLeaveCriticalSection 20318->20354 20320 2be5bb8 20320->20310 20322 2be503e 20321->20322 20325 2be4fda 20321->20325 20323 2be2f74 _free 59 API calls 20322->20323 20324 2be508b 20322->20324 20326 2be505f 20323->20326 20329 2be50b4 20324->20329 20395 2bed53d 20324->20395 20325->20322 20333 2be500b 20325->20333 20336 2be2f74 _free 59 API calls 20325->20336 20328 2be2f74 _free 59 API calls 20326->20328 20332 2be5072 20328->20332 20331 2be5113 20329->20331 20348 2be2f74 59 API calls _free 20329->20348 20338 2be2f74 _free 59 API calls 20331->20338 20339 2be2f74 _free 59 API calls 20332->20339 20340 2be2f74 _free 59 API calls 20333->20340 20350 2be5029 20333->20350 20334 2be2f74 _free 59 API calls 20341 2be5033 20334->20341 20335 2be2f74 _free 59 API calls 20335->20329 20337 2be5000 20336->20337 20355 2bed3da 20337->20355 20343 2be5119 20338->20343 20344 2be5080 20339->20344 20345 2be501e 20340->20345 20346 2be2f74 _free 59 API calls 20341->20346 20343->20312 20347 2be2f74 _free 59 API calls 20344->20347 20383 2bed4d6 20345->20383 20346->20322 20347->20324 20348->20329 20350->20334 20571 2be8a58 RtlLeaveCriticalSection 20351->20571 20353 2be5bfd 20353->20315 20354->20320 20356 2bed3e9 20355->20356 20382 2bed4d2 20355->20382 20357 2bed3fa 20356->20357 20358 2be2f74 _free 59 API calls 20356->20358 20359 2bed40c 20357->20359 20361 2be2f74 _free 59 API calls 20357->20361 20358->20357 20360 2bed41e 20359->20360 20362 2be2f74 _free 59 API calls 20359->20362 20363 2bed430 20360->20363 20364 2be2f74 _free 59 API calls 20360->20364 20361->20359 20362->20360 20365 2bed442 20363->20365 20366 2be2f74 _free 59 API calls 20363->20366 20364->20363 20367 2bed454 20365->20367 20369 2be2f74 _free 59 API calls 20365->20369 20366->20365 20368 2bed466 20367->20368 20370 2be2f74 _free 59 API calls 20367->20370 20371 2bed478 20368->20371 20372 2be2f74 _free 59 API calls 20368->20372 20369->20367 20370->20368 20373 2bed48a 20371->20373 20374 2be2f74 _free 59 API calls 20371->20374 20372->20371 20375 2bed49c 20373->20375 20376 2be2f74 _free 59 API calls 20373->20376 20374->20373 20377 2be2f74 _free 59 API calls 20375->20377 20378 2bed4ae 20375->20378 20376->20375 20377->20378 20379 2be2f74 _free 59 API calls 20378->20379 20380 2bed4c0 20378->20380 20379->20380 20381 2be2f74 _free 59 API calls 20380->20381 20380->20382 20381->20382 20382->20333 20384 2bed4e1 20383->20384 20394 2bed539 20383->20394 20385 2be2f74 _free 59 API calls 20384->20385 20387 2bed4f1 20384->20387 20385->20387 20386 2bed503 20389 2bed515 20386->20389 20391 2be2f74 _free 59 API calls 20386->20391 20387->20386 20388 2be2f74 _free 59 API calls 20387->20388 20388->20386 20390 2bed527 20389->20390 20392 2be2f74 _free 59 API calls 20389->20392 20393 2be2f74 _free 59 API calls 20390->20393 20390->20394 20391->20389 20392->20390 20393->20394 20394->20350 20396 2bed54c 20395->20396 20570 2be50a9 20395->20570 20397 2be2f74 _free 59 API calls 20396->20397 20398 2bed554 20397->20398 20399 2be2f74 _free 59 API calls 20398->20399 20400 2bed55c 20399->20400 20401 2be2f74 _free 59 API calls 20400->20401 20402 2bed564 20401->20402 20403 2be2f74 _free 59 API calls 20402->20403 20404 2bed56c 20403->20404 20405 2be2f74 _free 59 API calls 20404->20405 20406 2bed574 20405->20406 20407 2be2f74 _free 59 API calls 20406->20407 20408 2bed57c 20407->20408 20409 2be2f74 _free 59 API calls 20408->20409 20410 2bed583 20409->20410 20411 2be2f74 _free 59 API calls 20410->20411 20570->20335 20571->20353 20572 402548 lstrcmpiW 20573 402556 20572->20573 20574 402288 RegQueryValueExA 20575 402333 20574->20575 20576 402233 RegCloseKey 20575->20576 20577 402339 20575->20577 20578 40d0e5 20576->20578 20579 40da4f 20580 40da58 LoadLibraryExA 20579->20580 20581 2bd72ab InternetOpenA 20582 2bd72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 20581->20582 20605 2bd66f4 shared_ptr setSBCS 20581->20605 20588 2bd7342 setSBCS 20582->20588 20583 2bd7322 InternetOpenUrlA 20584 2bd7382 InternetCloseHandle 20583->20584 20583->20588 20584->20605 20585 2bd670e RtlEnterCriticalSection RtlLeaveCriticalSection 20585->20605 20586 2bd6708 Sleep 20586->20585 20587 2bd7346 InternetReadFile 20587->20588 20589 2bd7377 InternetCloseHandle 20587->20589 20588->20583 20588->20587 20589->20584 20590 2bd73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 20692 2be233c 20590->20692 20592 2be2fac _malloc 59 API calls 20593 2bd749d RtlEnterCriticalSection RtlLeaveCriticalSection 20592->20593 20593->20605 20594 2be233c 66 API calls 20594->20605 20595 2bd776a RtlEnterCriticalSection RtlLeaveCriticalSection 20595->20605 20599 2bd78e2 RtlEnterCriticalSection 20600 2bd790f RtlLeaveCriticalSection 20599->20600 20599->20605 20750 2bd3c67 20600->20750 20602 2be2fac 59 API calls _malloc 20602->20605 20603 2be2f74 59 API calls _free 20603->20605 20605->20581 20605->20585 20605->20586 20605->20590 20605->20592 20605->20594 20605->20595 20605->20599 20605->20600 20605->20602 20605->20603 20608 2bda71c 73 API calls 20605->20608 20616 2be35e6 60 API calls _strtok 20605->20616 20620 2bd76ec Sleep 20605->20620 20621 2bd76e7 shared_ptr 20605->20621 20624 2bd5119 20605->20624 20653 2bdac06 20605->20653 20663 2bd61f5 20605->20663 20666 2bd8332 20605->20666 20672 2bdd10e 20605->20672 20677 2bd83e1 20605->20677 20685 2bd33b2 20605->20685 20702 2be2850 20605->20702 20705 2be3b4c 20605->20705 20713 2bd972e 20605->20713 20720 2bda846 20605->20720 20728 2bd4100 20605->20728 20732 2be2418 20605->20732 20741 2bd1ba7 20605->20741 20757 2bd3d7e 20605->20757 20764 2bd8ffa 20605->20764 20771 2bd534d 20605->20771 20608->20605 20616->20605 20724 2be18f0 20620->20724 20621->20620 20625 2bd5123 __EH_prolog 20624->20625 20781 2be0b10 20625->20781 20628 2bd3c67 72 API calls 20629 2bd514a 20628->20629 20630 2bd3d7e 64 API calls 20629->20630 20631 2bd5158 20630->20631 20632 2bd8332 89 API calls 20631->20632 20633 2bd516c 20632->20633 20636 2bd5322 shared_ptr 20633->20636 20785 2bda71c 20633->20785 20636->20605 20637 2bd51c4 20640 2bda71c 73 API calls 20637->20640 20638 2bd51f6 20639 2bda71c 73 API calls 20638->20639 20641 2bd5207 20639->20641 20642 2bd51d4 20640->20642 20641->20636 20643 2bda71c 73 API calls 20641->20643 20642->20636 20645 2bda71c 73 API calls 20642->20645 20644 2bd524a 20643->20644 20644->20636 20647 2bda71c 73 API calls 20644->20647 20646 2bd52b4 20645->20646 20646->20636 20648 2bda71c 73 API calls 20646->20648 20647->20642 20649 2bd52da 20648->20649 20649->20636 20650 2bda71c 73 API calls 20649->20650 20651 2bd5304 20650->20651 20790 2bdced0 20651->20790 20654 2bdac10 __EH_prolog 20653->20654 20841 2bdd0e5 20654->20841 20656 2bdac31 shared_ptr 20844 2be20f0 20656->20844 20658 2bdac48 20659 2bdac5e 20658->20659 20850 2bd3fb0 20658->20850 20659->20605 20664 2be2fac _malloc 59 API calls 20663->20664 20665 2bd6208 20664->20665 20667 2bd834a 20666->20667 20671 2bd836b 20666->20671 21296 2bd95f4 20667->21296 20670 2bd8390 20670->20605 20671->20670 21299 2bd2ac7 20671->21299 20673 2be0b10 Mailbox 68 API calls 20672->20673 20674 2bdd124 20673->20674 20675 2bdd212 20674->20675 20676 2bd2db5 73 API calls 20674->20676 20675->20605 20676->20674 20678 2bd83fc WSASetLastError shutdown 20677->20678 20679 2bd83ec 20677->20679 20681 2bda500 69 API calls 20678->20681 20680 2be0b10 Mailbox 68 API calls 20679->20680 20682 2bd83f1 20680->20682 20683 2bd8419 20681->20683 20682->20605 20683->20682 20684 2be0b10 Mailbox 68 API calls 20683->20684 20684->20682 20686 2bd33c4 InterlockedCompareExchange 20685->20686 20687 2bd33e1 20685->20687 20686->20687 20688 2bd33d6 20686->20688 20689 2bd29ee 76 API calls 20687->20689 21393 2bd32ab 20688->21393 20691 2bd33f1 20689->20691 20691->20605 20695 2be2348 20692->20695 20696 2be236b 20692->20696 20694 2be234e 20698 2be5e5b __read_nolock 59 API calls 20694->20698 20695->20694 20695->20696 21446 2be2383 20696->21446 20697 2be237e 20697->20605 20699 2be2353 20698->20699 20700 2be4ef5 __read_nolock 9 API calls 20699->20700 20701 2be235e 20700->20701 20701->20605 21456 2be286e 20702->21456 20704 2be2869 20704->20605 20709 2be3b54 20705->20709 20706 2be2fac _malloc 59 API calls 20706->20709 20707 2be3b6e 20707->20605 20708 2be8204 __calloc_impl RtlDecodePointer 20708->20709 20709->20706 20709->20707 20709->20708 20710 2be3b72 std::exception::exception 20709->20710 20711 2be455a __CxxThrowException@8 RaiseException 20710->20711 20712 2be3b9c 20711->20712 20714 2bd9738 __EH_prolog 20713->20714 20715 2bd1ba7 210 API calls 20714->20715 20716 2bd978d 20715->20716 20717 2bd97aa RtlEnterCriticalSection 20716->20717 20718 2bd97c8 RtlLeaveCriticalSection 20717->20718 20719 2bd97c5 20717->20719 20718->20605 20719->20718 20721 2bda850 __EH_prolog 20720->20721 21462 2bddff7 20721->21462 20723 2bda86e shared_ptr 20723->20605 20725 2be18fd 20724->20725 20726 2be1921 20724->20726 20725->20726 20727 2be1911 GetProcessHeap HeapFree 20725->20727 20726->20605 20727->20726 20729 2bd4118 20728->20729 20730 2bd4112 20728->20730 20729->20605 21466 2bda6fa 20730->21466 20733 2be2449 20732->20733 20734 2be2434 20732->20734 20733->20734 20738 2be2450 20733->20738 20735 2be5e5b __read_nolock 59 API calls 20734->20735 20736 2be2439 20735->20736 20737 2be4ef5 __read_nolock 9 API calls 20736->20737 20739 2be2444 20737->20739 20738->20739 21468 2be5f01 20738->21468 20739->20605 21669 2bf53f0 20741->21669 20743 2bd1bb1 RtlEnterCriticalSection 20744 2bd1be9 RtlLeaveCriticalSection 20743->20744 20746 2bd1bd1 20743->20746 21670 2bde327 20744->21670 20746->20744 20747 2bd1c55 RtlLeaveCriticalSection 20746->20747 20747->20605 20748 2bd1c22 20748->20747 20751 2be0b10 Mailbox 68 API calls 20750->20751 20752 2bd3c7e 20751->20752 21752 2bd3ca2 20752->21752 20758 2bd3d99 htons 20757->20758 20759 2bd3dcb htons 20757->20759 21779 2bd3bd3 20758->21779 21785 2bd3c16 20759->21785 20762 2bd3ded 20762->20605 20765 2bd9004 __EH_prolog 20764->20765 21816 2bd373f 20765->21816 20767 2bd901e RtlEnterCriticalSection 20769 2bd902d RtlLeaveCriticalSection 20767->20769 20770 2bd9067 20769->20770 20770->20605 20772 2be2fac _malloc 59 API calls 20771->20772 20773 2bd5362 SHGetSpecialFolderPathA 20772->20773 20774 2bd5378 20773->20774 20774->20774 21825 2be3771 20774->21825 20777 2bd53e2 20777->20605 20779 2bd53dc 21841 2be3a84 20779->21841 20782 2be0b39 20781->20782 20783 2bd513d 20781->20783 20784 2be33a4 __cinit 68 API calls 20782->20784 20783->20628 20784->20783 20786 2be0b10 Mailbox 68 API calls 20785->20786 20788 2bda736 20786->20788 20787 2bd519d 20787->20636 20787->20637 20787->20638 20788->20787 20795 2bd2db5 20788->20795 20791 2be0b10 Mailbox 68 API calls 20790->20791 20793 2bdceea 20791->20793 20792 2bdcff9 20792->20636 20793->20792 20822 2bd2b95 20793->20822 20796 2bd2dca 20795->20796 20797 2bd2de4 20795->20797 20799 2be0b10 Mailbox 68 API calls 20796->20799 20798 2bd2dfc 20797->20798 20800 2bd2def 20797->20800 20809 2bd2d39 WSASetLastError WSASend 20798->20809 20803 2bd2dcf 20799->20803 20802 2be0b10 Mailbox 68 API calls 20800->20802 20802->20803 20803->20788 20804 2bd2e54 WSASetLastError select 20819 2bda500 20804->20819 20805 2be0b10 68 API calls Mailbox 20807 2bd2e0c 20805->20807 20807->20803 20807->20804 20807->20805 20808 2bd2d39 71 API calls 20807->20808 20808->20807 20810 2bda500 69 API calls 20809->20810 20811 2bd2d6e 20810->20811 20812 2bd2d75 20811->20812 20813 2bd2d82 20811->20813 20814 2be0b10 Mailbox 68 API calls 20812->20814 20815 2be0b10 Mailbox 68 API calls 20813->20815 20817 2bd2d7a 20813->20817 20814->20817 20815->20817 20816 2bd2d9c 20816->20807 20817->20816 20818 2be0b10 Mailbox 68 API calls 20817->20818 20818->20816 20820 2be0b10 Mailbox 68 API calls 20819->20820 20821 2bda50c WSAGetLastError 20820->20821 20821->20807 20823 2bd2bc7 20822->20823 20824 2bd2bb1 20822->20824 20827 2bd2bd2 20823->20827 20836 2bd2bdf 20823->20836 20825 2be0b10 Mailbox 68 API calls 20824->20825 20830 2bd2bb6 20825->20830 20826 2bd2be2 WSASetLastError WSARecv 20828 2bda500 69 API calls 20826->20828 20829 2be0b10 Mailbox 68 API calls 20827->20829 20828->20836 20829->20830 20830->20793 20831 2be0b10 68 API calls Mailbox 20831->20836 20832 2bd2d22 20837 2bd1996 20832->20837 20834 2bd2cbc WSASetLastError select 20835 2bda500 69 API calls 20834->20835 20835->20836 20836->20826 20836->20830 20836->20831 20836->20832 20836->20834 20838 2bd19bb 20837->20838 20839 2bd199f 20837->20839 20838->20830 20840 2be33a4 __cinit 68 API calls 20839->20840 20840->20838 20863 2bde277 20841->20863 20843 2bdd0f7 20843->20656 20948 2be33b9 20844->20948 20847 2be2114 20847->20658 20848 2be213d ResumeThread 20848->20658 20849 2be2136 CloseHandle 20849->20848 20851 2be0b10 Mailbox 68 API calls 20850->20851 20852 2bd3fb8 20851->20852 21267 2bd1815 20852->21267 20855 2bda682 20856 2bda68c __EH_prolog 20855->20856 21273 2bdcc3a 20856->21273 20861 2be455a __CxxThrowException@8 RaiseException 20862 2bda6c0 20861->20862 20864 2bde281 __EH_prolog 20863->20864 20869 2bd4030 20864->20869 20868 2bde2af 20868->20843 20881 2bf53f0 20869->20881 20871 2bd403a GetProcessHeap RtlAllocateHeap 20872 2bd407c 20871->20872 20873 2bd4053 std::exception::exception 20871->20873 20872->20868 20875 2bd408a 20872->20875 20882 2bda6c1 20873->20882 20876 2bd4094 __EH_prolog 20875->20876 20929 2bda2e0 20876->20929 20881->20871 20883 2bda6cb __EH_prolog 20882->20883 20890 2bdcc70 20883->20890 20889 2bda6f9 20899 2bdd7d0 20890->20899 20893 2bdcc8a 20921 2bdd808 20893->20921 20895 2bda6e8 20896 2be455a 20895->20896 20897 2be4579 RaiseException 20896->20897 20897->20889 20902 2be2513 20899->20902 20905 2be2541 20902->20905 20906 2be254f 20905->20906 20909 2bda6da 20905->20909 20911 2be25d7 20906->20911 20909->20893 20912 2be2554 20911->20912 20913 2be25e0 20911->20913 20912->20909 20915 2be2599 20912->20915 20914 2be2f74 _free 59 API calls 20913->20914 20914->20912 20916 2be25a5 _strlen 20915->20916 20919 2be25ca 20915->20919 20917 2be2fac _malloc 59 API calls 20916->20917 20918 2be25b7 20917->20918 20918->20919 20920 2be6cbc std::exception::_Copy_str 59 API calls 20918->20920 20919->20909 20920->20919 20922 2bdd812 __EH_prolog 20921->20922 20925 2bdb733 20922->20925 20924 2bdd849 Mailbox 20924->20895 20926 2bdb73d __EH_prolog 20925->20926 20927 2be2513 std::exception::exception 59 API calls 20926->20927 20928 2bdb74e Mailbox 20927->20928 20928->20924 20940 2bdb0f7 20929->20940 20932 2bd3fdc 20947 2bf53f0 20932->20947 20934 2bd3fe6 CreateEventA 20935 2bd3ffd 20934->20935 20936 2bd400f 20934->20936 20937 2bd3fb0 Mailbox 68 API calls 20935->20937 20936->20868 20938 2bd4005 20937->20938 20939 2bda682 Mailbox 60 API calls 20938->20939 20939->20936 20941 2bd40c1 20940->20941 20942 2bdb103 20940->20942 20941->20932 20943 2be3b4c _Allocate 60 API calls 20942->20943 20944 2bdb113 std::exception::exception 20942->20944 20943->20944 20944->20941 20945 2be455a __CxxThrowException@8 RaiseException 20944->20945 20946 2bdfb28 20945->20946 20947->20934 20949 2be33db 20948->20949 20950 2be33c7 20948->20950 20952 2be8a6d __calloc_crt 59 API calls 20949->20952 20951 2be5e5b __read_nolock 59 API calls 20950->20951 20953 2be33cc 20951->20953 20954 2be33e8 20952->20954 20955 2be4ef5 __read_nolock 9 API calls 20953->20955 20956 2be3439 20954->20956 20958 2be5c5a FindHandler 59 API calls 20954->20958 20963 2be210b 20955->20963 20957 2be2f74 _free 59 API calls 20956->20957 20959 2be343f 20957->20959 20960 2be33f5 20958->20960 20959->20963 20967 2be5e3a 20959->20967 20961 2be5ce1 __initptd 59 API calls 20960->20961 20964 2be33fe CreateThread 20961->20964 20963->20847 20963->20848 20963->20849 20964->20963 20966 2be3431 GetLastError 20964->20966 20975 2be3519 20964->20975 20966->20956 20972 2be5e27 20967->20972 20969 2be5e43 _free 20970 2be5e5b __read_nolock 59 API calls 20969->20970 20971 2be5e56 20970->20971 20971->20963 20973 2be5c72 __getptd_noexit 59 API calls 20972->20973 20974 2be5e2c 20973->20974 20974->20969 20976 2be3522 __threadstartex@4 20975->20976 20977 2be91cb __freeptd TlsGetValue 20976->20977 20978 2be3528 20977->20978 20979 2be352f __threadstartex@4 20978->20979 20980 2be355b 20978->20980 20982 2be91ea __freeptd TlsSetValue 20979->20982 20981 2be5aef __freefls@4 59 API calls 20980->20981 20983 2be3576 ___crtIsPackagedApp 20981->20983 20984 2be353e 20982->20984 20987 2be358a 20983->20987 20991 2be34c1 20983->20991 20985 2be3544 GetLastError RtlExitUserThread 20984->20985 20986 2be3551 GetCurrentThreadId 20984->20986 20985->20986 20986->20983 20997 2be3452 20987->20997 20992 2be34ca LoadLibraryExW GetProcAddress 20991->20992 20993 2be3503 RtlDecodePointer 20991->20993 20994 2be34ec 20992->20994 20995 2be34ed RtlEncodePointer 20992->20995 20996 2be3513 20993->20996 20994->20987 20995->20993 20996->20987 20998 2be345e __close 20997->20998 20999 2be5c5a FindHandler 59 API calls 20998->20999 21000 2be3463 20999->21000 21007 2be2160 21000->21007 21025 2be1610 21007->21025 21010 2be21a8 TlsSetValue 21011 2be21b0 21010->21011 21047 2bdddab 21011->21047 21036 2be1674 21025->21036 21026 2be16f0 21027 2be1706 21026->21027 21030 2be1703 CloseHandle 21026->21030 21031 2be454b __87except 6 API calls 21027->21031 21028 2be16ce ResetEvent 21032 2be16d5 21028->21032 21029 2be168c 21029->21028 21034 2be16a5 OpenEventA 21029->21034 21063 2be1c10 21029->21063 21030->21027 21035 2be171e 21031->21035 21067 2be1850 21032->21067 21033 2be179c WaitForSingleObject 21033->21036 21038 2be16bf 21034->21038 21039 2be16c7 21034->21039 21035->21010 21035->21011 21036->21026 21036->21029 21036->21033 21040 2be1770 CreateEventA 21036->21040 21043 2be1c10 GetCurrentProcessId 21036->21043 21045 2be178e CloseHandle 21036->21045 21038->21039 21042 2be16c4 CloseHandle 21038->21042 21039->21028 21039->21032 21040->21036 21041 2be16a2 21041->21034 21042->21039 21043->21036 21045->21036 21048 2bdddcd 21047->21048 21078 2bd4d86 21048->21078 21049 2bdddd0 21051 2be1f30 21049->21051 21052 2be1f69 TlsGetValue 21051->21052 21061 2be1f61 Mailbox 21051->21061 21052->21061 21054 2be1fdd 21055 2be1fb9 21057 2be2049 GetProcessHeap HeapFree 21057->21061 21061->21054 21061->21055 21061->21057 21062 2be203b GetProcessHeap HeapFree 21061->21062 21062->21057 21077 2be0c70 21063->21077 21065 2be1c62 GetCurrentProcessId 21066 2be1c75 21065->21066 21066->21041 21071 2be185f 21067->21071 21068 2be18b7 21069 2be16ed 21068->21069 21070 2be18c3 SetEvent 21068->21070 21069->21026 21070->21069 21071->21068 21072 2be1895 CreateEventA 21071->21072 21073 2be1c10 GetCurrentProcessId 21071->21073 21072->21068 21074 2be18ab 21072->21074 21075 2be1892 21073->21075 21074->21068 21076 2be18b0 CloseHandle 21074->21076 21075->21072 21076->21068 21077->21065 21079 2bd4d90 __EH_prolog 21078->21079 21080 2be0b10 Mailbox 68 API calls 21079->21080 21081 2bd4da6 RtlEnterCriticalSection RtlLeaveCriticalSection 21080->21081 21082 2bd50d4 shared_ptr 21081->21082 21090 2bd4dd1 std::bad_exception::bad_exception 21081->21090 21082->21049 21084 2bd50a1 RtlEnterCriticalSection RtlLeaveCriticalSection 21085 2bd50b3 RtlEnterCriticalSection RtlLeaveCriticalSection 21084->21085 21085->21082 21085->21090 21086 2bda71c 73 API calls 21086->21090 21088 2bd4e8d RtlEnterCriticalSection RtlLeaveCriticalSection 21089 2bd4e9f RtlEnterCriticalSection RtlLeaveCriticalSection 21088->21089 21089->21090 21090->21084 21090->21085 21090->21086 21090->21088 21090->21089 21091 2bdced0 73 API calls 21090->21091 21096 2be18f0 2 API calls 21090->21096 21097 2bd4100 2 API calls 21090->21097 21098 2bd4bed 21090->21098 21122 2bd7d1b 21090->21122 21126 2bdd002 21090->21126 21132 2bd7cf5 21090->21132 21135 2bda9a9 21090->21135 21147 2bdaa81 21090->21147 21091->21090 21096->21090 21097->21090 21099 2bd4bf7 __EH_prolog 21098->21099 21100 2bd1ba7 209 API calls 21099->21100 21123 2bd7d37 21122->21123 21220 2bd90a9 21123->21220 21128 2bdd00c __EH_prolog 21126->21128 21127 2bdd035 21130 2bdd07a 21127->21130 21234 2bd888e 21127->21234 21128->21127 21227 2bd9215 21128->21227 21130->21090 21241 2bd88ef 21132->21241 21136 2bda9b3 __EH_prolog 21135->21136 21137 2bd7cf5 std::bad_exception::bad_exception 60 API calls 21136->21137 21138 2bda9cf 21137->21138 21148 2bdaa8b __EH_prolog 21147->21148 21256 2bdd08d 21148->21256 21221 2bd90b9 21220->21221 21242 2bd8978 21241->21242 21243 2bd8904 21241->21243 21270 2be24d3 21267->21270 21271 2be2599 std::exception::_Copy_str 59 API calls 21270->21271 21272 2bd182a 21271->21272 21272->20855 21279 2bdd701 21273->21279 21276 2bdcc54 21288 2bdd739 21276->21288 21278 2bda6af 21278->20861 21282 2bdb225 21279->21282 21283 2bdb22f __EH_prolog 21282->21283 21284 2be2513 std::exception::exception 59 API calls 21283->21284 21285 2bdb240 21284->21285 21286 2bd7cf5 std::bad_exception::bad_exception 60 API calls 21285->21286 21287 2bda6a1 21286->21287 21287->21276 21289 2bdd743 __EH_prolog 21288->21289 21292 2bdb61d 21289->21292 21291 2bdd77a Mailbox 21291->21278 21293 2bdb627 __EH_prolog 21292->21293 21294 2bdb225 std::bad_exception::bad_exception 60 API calls 21293->21294 21295 2bdb638 Mailbox 21294->21295 21295->21291 21317 2bd353e 21296->21317 21300 2bd2ae8 WSASetLastError connect 21299->21300 21301 2bd2ad8 21299->21301 21302 2bda500 69 API calls 21300->21302 21303 2be0b10 Mailbox 68 API calls 21301->21303 21304 2bd2b07 21302->21304 21305 2bd2add 21303->21305 21304->21305 21306 2be0b10 Mailbox 68 API calls 21304->21306 21307 2be0b10 Mailbox 68 API calls 21305->21307 21306->21305 21308 2bd2b1b 21307->21308 21310 2be0b10 Mailbox 68 API calls 21308->21310 21312 2bd2b38 21308->21312 21310->21312 21316 2bd2b87 21312->21316 21377 2bd3027 21312->21377 21315 2be0b10 Mailbox 68 API calls 21315->21316 21316->20670 21318 2bd3548 __EH_prolog 21317->21318 21319 2bd3557 21318->21319 21320 2bd3576 21318->21320 21322 2bd1996 68 API calls 21319->21322 21339 2bd2edd WSASetLastError WSASocketA 21320->21339 21336 2bd355f 21322->21336 21324 2bd35ad CreateIoCompletionPort 21325 2bd35db 21324->21325 21326 2bd35c5 GetLastError 21324->21326 21328 2be0b10 Mailbox 68 API calls 21325->21328 21327 2be0b10 Mailbox 68 API calls 21326->21327 21329 2bd35d2 21327->21329 21328->21329 21330 2bd35ef 21329->21330 21331 2bd3626 21329->21331 21332 2be0b10 Mailbox 68 API calls 21330->21332 21365 2bddeea 21331->21365 21333 2bd3608 21332->21333 21347 2bd29ee 21333->21347 21336->20671 21337 2bd3659 21338 2be0b10 Mailbox 68 API calls 21337->21338 21338->21336 21340 2be0b10 Mailbox 68 API calls 21339->21340 21341 2bd2f0a WSAGetLastError 21340->21341 21342 2bd2f41 21341->21342 21343 2bd2f21 21341->21343 21342->21324 21342->21336 21344 2bd2f3c 21343->21344 21345 2bd2f27 setsockopt 21343->21345 21346 2be0b10 Mailbox 68 API calls 21344->21346 21345->21344 21346->21342 21350 2bd2a0c 21347->21350 21364 2bd2aad 21347->21364 21348 2be0b10 Mailbox 68 API calls 21351 2bd2ab8 21348->21351 21349 2bd2a39 WSASetLastError closesocket 21352 2bda500 69 API calls 21349->21352 21350->21349 21353 2be0b10 Mailbox 68 API calls 21350->21353 21351->21336 21354 2bd2a51 21352->21354 21355 2bd2a21 21353->21355 21357 2be0b10 Mailbox 68 API calls 21354->21357 21354->21364 21369 2bd2f50 21355->21369 21359 2bd2a5c 21357->21359 21360 2bd2a7b ioctlsocket WSASetLastError closesocket 21359->21360 21361 2be0b10 Mailbox 68 API calls 21359->21361 21362 2bda500 69 API calls 21360->21362 21363 2bd2a6e 21361->21363 21362->21364 21363->21360 21363->21364 21364->21348 21364->21351 21366 2bddef4 __EH_prolog 21365->21366 21367 2be3b4c _Allocate 60 API calls 21366->21367 21368 2bddf08 21367->21368 21368->21337 21370 2bd2f5b 21369->21370 21371 2bd2f70 WSASetLastError setsockopt 21369->21371 21372 2be0b10 Mailbox 68 API calls 21370->21372 21373 2bda500 69 API calls 21371->21373 21376 2bd2a36 21372->21376 21374 2bd2f9e 21373->21374 21375 2be0b10 Mailbox 68 API calls 21374->21375 21374->21376 21375->21376 21376->21349 21378 2bd304d WSASetLastError select 21377->21378 21379 2bd303b 21377->21379 21381 2bda500 69 API calls 21378->21381 21380 2be0b10 Mailbox 68 API calls 21379->21380 21384 2bd2b59 21380->21384 21382 2bd3095 21381->21382 21383 2be0b10 Mailbox 68 API calls 21382->21383 21382->21384 21383->21384 21384->21316 21385 2bd2fb4 21384->21385 21386 2bd2fd5 WSASetLastError getsockopt 21385->21386 21387 2bd2fc0 21385->21387 21388 2bda500 69 API calls 21386->21388 21389 2be0b10 Mailbox 68 API calls 21387->21389 21390 2bd300f 21388->21390 21392 2bd2b7a 21389->21392 21391 2be0b10 Mailbox 68 API calls 21390->21391 21390->21392 21391->21392 21392->21315 21392->21316 21400 2bf53f0 21393->21400 21395 2bd32b5 RtlEnterCriticalSection 21396 2be0b10 Mailbox 68 API calls 21395->21396 21397 2bd32d6 21396->21397 21401 2bd3307 21397->21401 21400->21395 21403 2bd3311 __EH_prolog 21401->21403 21404 2bd3350 21403->21404 21413 2bd7e79 21403->21413 21417 2bd239d 21404->21417 21407 2bd3390 21423 2bd7e22 21407->21423 21408 2be0b10 Mailbox 68 API calls 21410 2bd337c 21408->21410 21412 2bd2d39 71 API calls 21410->21412 21412->21407 21416 2bd7e87 21413->21416 21414 2bd7efd 21414->21403 21416->21414 21427 2bd89de 21416->21427 21421 2bd23ab 21417->21421 21418 2bd2417 21418->21407 21418->21408 21419 2bd23c1 PostQueuedCompletionStatus 21420 2bd23da RtlEnterCriticalSection 21419->21420 21419->21421 21420->21421 21421->21418 21421->21419 21422 2bd23f8 InterlockedExchange RtlLeaveCriticalSection 21421->21422 21422->21421 21425 2bd7e27 21423->21425 21424 2bd32ee RtlLeaveCriticalSection 21424->20687 21425->21424 21443 2bd1e7f 21425->21443 21428 2bd8a08 21427->21428 21429 2bd7e22 68 API calls 21428->21429 21431 2bd8a4e 21429->21431 21430 2bd8a75 21430->21414 21431->21430 21433 2bda26b 21431->21433 21434 2bda275 21433->21434 21435 2bda285 21433->21435 21434->21435 21438 2bdfb29 21434->21438 21435->21430 21439 2be24d3 std::exception::exception 59 API calls 21438->21439 21440 2bdfb41 21439->21440 21441 2be455a __CxxThrowException@8 RaiseException 21440->21441 21442 2bdfb56 21441->21442 21444 2be0b10 Mailbox 68 API calls 21443->21444 21445 2bd1e90 21444->21445 21445->21425 21447 2be227b _LocaleUpdate::_LocaleUpdate 59 API calls 21446->21447 21448 2be2397 21447->21448 21449 2be23a5 21448->21449 21455 2be23bc 21448->21455 21450 2be5e5b __read_nolock 59 API calls 21449->21450 21451 2be23aa 21450->21451 21452 2be4ef5 __read_nolock 9 API calls 21451->21452 21453 2be23b5 ___ascii_stricmp 21452->21453 21453->20697 21454 2be597a 66 API calls __tolower_l 21454->21455 21455->21453 21455->21454 21457 2be288b 21456->21457 21458 2be5e5b __read_nolock 59 API calls 21457->21458 21461 2be289b _strlen 21457->21461 21459 2be2890 21458->21459 21460 2be4ef5 __read_nolock 9 API calls 21459->21460 21460->21461 21461->20704 21463 2bde001 __EH_prolog 21462->21463 21464 2be3b4c _Allocate 60 API calls 21463->21464 21465 2bde018 21464->21465 21465->20723 21467 2bda709 GetProcessHeap HeapFree 21466->21467 21467->20729 21489 2be9e31 21468->21489 21470 2be5f0f 21471 2be5f1a 21470->21471 21472 2be5f31 21470->21472 21473 2be5e5b __read_nolock 59 API calls 21471->21473 21474 2be5f36 21472->21474 21475 2be5f43 __flsbuf 21472->21475 21482 2be5f1f 21473->21482 21476 2be5e5b __read_nolock 59 API calls 21474->21476 21475->21482 21485 2be5f92 21475->21485 21488 2be5f9d 21475->21488 21496 2bef7a2 21475->21496 21476->21482 21477 2be5fa7 21480 2be5fc1 21477->21480 21484 2be5fd8 21477->21484 21478 2be6021 21479 2be9e55 __write 79 API calls 21478->21479 21479->21482 21508 2be9e55 21480->21508 21482->20739 21484->21482 21536 2bef7f6 21484->21536 21485->21488 21505 2bef965 21485->21505 21488->21477 21488->21478 21490 2be9e3b 21489->21490 21491 2be9e50 21489->21491 21492 2be5e5b __read_nolock 59 API calls 21490->21492 21491->21470 21493 2be9e40 21492->21493 21494 2be4ef5 __read_nolock 9 API calls 21493->21494 21495 2be9e4b 21494->21495 21495->21470 21497 2bef7ad 21496->21497 21498 2bef7ba 21496->21498 21499 2be5e5b __read_nolock 59 API calls 21497->21499 21501 2bef7c6 21498->21501 21502 2be5e5b __read_nolock 59 API calls 21498->21502 21500 2bef7b2 21499->21500 21500->21485 21501->21485 21503 2bef7e7 21502->21503 21504 2be4ef5 __read_nolock 9 API calls 21503->21504 21504->21500 21506 2be8ab5 __malloc_crt 59 API calls 21505->21506 21507 2bef97a 21506->21507 21507->21488 21509 2be9e61 __close 21508->21509 21510 2be9e6e 21509->21510 21511 2be9e85 21509->21511 21512 2be5e27 __read_nolock 59 API calls 21510->21512 21513 2be9f24 21511->21513 21516 2be9e99 21511->21516 21515 2be9e73 21512->21515 21514 2be5e27 __read_nolock 59 API calls 21513->21514 21517 2be9ebc 21514->21517 21518 2be5e5b __read_nolock 59 API calls 21515->21518 21519 2be9eb7 21516->21519 21520 2be9ec1 21516->21520 21523 2be5e5b __read_nolock 59 API calls 21517->21523 21528 2be9e7a __close 21518->21528 21522 2be5e27 __read_nolock 59 API calls 21519->21522 21561 2bf0c87 21520->21561 21522->21517 21525 2be9f30 21523->21525 21524 2be9ec7 21526 2be9eed 21524->21526 21527 2be9eda 21524->21527 21529 2be4ef5 __read_nolock 9 API calls 21525->21529 21531 2be5e5b __read_nolock 59 API calls 21526->21531 21570 2be9f44 21527->21570 21528->21482 21529->21528 21533 2be9ef2 21531->21533 21532 2be9ee6 21629 2be9f1c 21532->21629 21534 2be5e27 __read_nolock 59 API calls 21533->21534 21534->21532 21537 2bef802 __close 21536->21537 21538 2bef813 21537->21538 21540 2bef82b 21537->21540 21539 2be5e27 __read_nolock 59 API calls 21538->21539 21542 2bef818 21539->21542 21541 2bef8d0 21540->21541 21545 2bef860 21540->21545 21543 2be5e27 __read_nolock 59 API calls 21541->21543 21544 2be5e5b __read_nolock 59 API calls 21542->21544 21546 2bef8d5 21543->21546 21555 2bef820 __close 21544->21555 21547 2bf0c87 ___lock_fhandle 60 API calls 21545->21547 21548 2be5e5b __read_nolock 59 API calls 21546->21548 21549 2bef866 21547->21549 21550 2bef8dd 21548->21550 21551 2bef87c 21549->21551 21552 2bef894 21549->21552 21553 2be4ef5 __read_nolock 9 API calls 21550->21553 21554 2bef8f2 __lseeki64_nolock 61 API calls 21551->21554 21556 2be5e5b __read_nolock 59 API calls 21552->21556 21553->21555 21557 2bef88b 21554->21557 21555->21482 21558 2bef899 21556->21558 21665 2bef8c8 21557->21665 21559 2be5e27 __read_nolock 59 API calls 21558->21559 21559->21557 21562 2bf0c93 __close 21561->21562 21563 2bf0ce2 RtlEnterCriticalSection 21562->21563 21565 2be88ee __lock 59 API calls 21562->21565 21564 2bf0d08 __close 21563->21564 21564->21524 21566 2bf0cb8 21565->21566 21567 2bf0cd0 21566->21567 21568 2be920c __ioinit InitializeCriticalSectionAndSpinCount 21566->21568 21632 2bf0d0c 21567->21632 21568->21567 21571 2be9f51 __write_nolock 21570->21571 21572 2be9faf 21571->21572 21573 2be9f90 21571->21573 21604 2be9f85 21571->21604 21576 2be9feb 21572->21576 21577 2bea007 21572->21577 21575 2be5e27 __read_nolock 59 API calls 21573->21575 21574 2be454b __87except 6 API calls 21578 2bea7a5 21574->21578 21579 2be9f95 21575->21579 21580 2be5e27 __read_nolock 59 API calls 21576->21580 21582 2bea020 21577->21582 21636 2bef8f2 21577->21636 21578->21532 21581 2be5e5b __read_nolock 59 API calls 21579->21581 21583 2be9ff0 21580->21583 21584 2be9f9c 21581->21584 21586 2bef7a2 __read_nolock 59 API calls 21582->21586 21587 2be5e5b __read_nolock 59 API calls 21583->21587 21588 2be4ef5 __read_nolock 9 API calls 21584->21588 21589 2bea02e 21586->21589 21590 2be9ff7 21587->21590 21588->21604 21591 2bea387 21589->21591 21595 2be5c5a FindHandler 59 API calls 21589->21595 21594 2be4ef5 __read_nolock 9 API calls 21590->21594 21592 2bea71a WriteFile 21591->21592 21593 2bea3a5 21591->21593 21596 2bea37a GetLastError 21592->21596 21606 2bea347 21592->21606 21597 2bea4c9 21593->21597 21603 2bea3bb 21593->21603 21594->21604 21598 2bea05a GetConsoleMode 21595->21598 21596->21606 21608 2bea4d4 21597->21608 21621 2bea5be 21597->21621 21598->21591 21600 2bea099 21598->21600 21599 2bea753 21599->21604 21605 2be5e5b __read_nolock 59 API calls 21599->21605 21600->21591 21601 2bea0a9 GetConsoleCP 21600->21601 21601->21599 21627 2bea0d8 21601->21627 21602 2bea42a WriteFile 21602->21596 21602->21603 21603->21599 21603->21602 21603->21606 21604->21574 21609 2bea781 21605->21609 21606->21599 21606->21604 21607 2bea4a7 21606->21607 21610 2bea74a 21607->21610 21611 2bea4b2 21607->21611 21608->21599 21608->21606 21613 2bea539 WriteFile 21608->21613 21614 2be5e27 __read_nolock 59 API calls 21609->21614 21616 2be5e3a __dosmaperr 59 API calls 21610->21616 21615 2be5e5b __read_nolock 59 API calls 21611->21615 21612 2bea633 WideCharToMultiByte 21612->21596 21612->21621 21613->21596 21613->21608 21614->21604 21617 2bea4b7 21615->21617 21616->21604 21619 2be5e27 __read_nolock 59 API calls 21617->21619 21618 2bea682 WriteFile 21618->21621 21622 2bea6d5 GetLastError 21618->21622 21619->21604 21621->21599 21621->21606 21621->21612 21621->21618 21622->21621 21623 2bf1053 WriteConsoleW CreateFileW __putwch_nolock 21623->21627 21624 2bea1c1 WideCharToMultiByte 21624->21606 21626 2bea1fc WriteFile 21624->21626 21625 2bf000a 61 API calls __write_nolock 21625->21627 21626->21596 21626->21627 21627->21596 21627->21606 21627->21623 21627->21624 21627->21625 21628 2bea256 WriteFile 21627->21628 21645 2bedd48 21627->21645 21628->21596 21628->21627 21664 2bf102d RtlLeaveCriticalSection 21629->21664 21631 2be9f22 21631->21528 21635 2be8a58 RtlLeaveCriticalSection 21632->21635 21634 2bf0d13 21634->21563 21635->21634 21648 2bf0f44 21636->21648 21638 2bef902 21639 2bef90a 21638->21639 21640 2bef91b SetFilePointerEx 21638->21640 21642 2be5e5b __read_nolock 59 API calls 21639->21642 21641 2bef933 GetLastError 21640->21641 21644 2bef90f 21640->21644 21643 2be5e3a __dosmaperr 59 API calls 21641->21643 21642->21644 21643->21644 21644->21582 21661 2bedd0e 21645->21661 21649 2bf0f4f 21648->21649 21650 2bf0f64 21648->21650 21651 2be5e27 __read_nolock 59 API calls 21649->21651 21652 2be5e27 __read_nolock 59 API calls 21650->21652 21656 2bf0f89 21650->21656 21653 2bf0f54 21651->21653 21654 2bf0f93 21652->21654 21655 2be5e5b __read_nolock 59 API calls 21653->21655 21657 2be5e5b __read_nolock 59 API calls 21654->21657 21658 2bf0f5c 21655->21658 21656->21638 21659 2bf0f9b 21657->21659 21658->21638 21660 2be4ef5 __read_nolock 9 API calls 21659->21660 21660->21658 21662 2be227b _LocaleUpdate::_LocaleUpdate 59 API calls 21661->21662 21663 2bedd1f 21662->21663 21663->21627 21664->21631 21668 2bf102d RtlLeaveCriticalSection 21665->21668 21667 2bef8ce 21667->21555 21668->21667 21669->20743 21671 2bde331 __EH_prolog 21670->21671 21672 2be3b4c _Allocate 60 API calls 21671->21672 21673 2bde33a 21672->21673 21674 2bd1bfa RtlEnterCriticalSection 21673->21674 21676 2bde548 21673->21676 21674->20748 21677 2bde552 __EH_prolog 21676->21677 21680 2bd26db RtlEnterCriticalSection 21677->21680 21679 2bde5a8 21679->21674 21681 2bd277e 21680->21681 21682 2bd2728 CreateWaitableTimerA 21680->21682 21685 2bd27d5 RtlLeaveCriticalSection 21681->21685 21687 2be3b4c _Allocate 60 API calls 21681->21687 21683 2bd2738 GetLastError 21682->21683 21684 2bd275b SetWaitableTimer 21682->21684 21686 2be0b10 Mailbox 68 API calls 21683->21686 21684->21681 21685->21679 21688 2bd2745 21686->21688 21689 2bd278a 21687->21689 21724 2bd1712 21688->21724 21691 2be3b4c _Allocate 60 API calls 21689->21691 21692 2bd27c8 21689->21692 21693 2bd27a9 21691->21693 21730 2bd7dfa 21692->21730 21696 2bd1cf8 CreateEventA 21693->21696 21697 2bd1d23 GetLastError 21696->21697 21698 2bd1d52 CreateEventA 21696->21698 21701 2bd1d33 21697->21701 21699 2bd1d6b GetLastError 21698->21699 21718 2bd1d96 21698->21718 21702 2bd1d7b 21699->21702 21700 2be33b9 __beginthreadex 201 API calls 21703 2bd1db6 21700->21703 21704 2be0b10 Mailbox 68 API calls 21701->21704 21706 2be0b10 Mailbox 68 API calls 21702->21706 21707 2bd1e0d 21703->21707 21708 2bd1dc6 GetLastError 21703->21708 21705 2bd1d3c 21704->21705 21709 2bd1712 60 API calls 21705->21709 21710 2bd1d84 21706->21710 21711 2bd1e1d 21707->21711 21712 2bd1e11 WaitForSingleObject CloseHandle 21707->21712 21713 2bd1dd8 21708->21713 21714 2bd1d4e 21709->21714 21715 2bd1712 60 API calls 21710->21715 21711->21692 21712->21711 21716 2bd1ddc CloseHandle 21713->21716 21717 2bd1ddf 21713->21717 21714->21698 21715->21718 21716->21717 21719 2bd1dee 21717->21719 21720 2bd1de9 CloseHandle 21717->21720 21718->21700 21721 2be0b10 Mailbox 68 API calls 21719->21721 21720->21719 21722 2bd1dfb 21721->21722 21723 2bd1712 60 API calls 21722->21723 21723->21707 21726 2bd171c __EH_prolog 21724->21726 21725 2bd173e 21725->21684 21726->21725 21727 2bd1815 Mailbox 59 API calls 21726->21727 21728 2bd1732 21727->21728 21733 2bda499 21728->21733 21731 2bd7e07 CloseHandle 21730->21731 21732 2bd7e16 21730->21732 21731->21732 21732->21685 21734 2bda4a3 __EH_prolog 21733->21734 21741 2bdc9fe 21734->21741 21738 2bda4c4 21739 2be455a __CxxThrowException@8 RaiseException 21738->21739 21740 2bda4d2 21739->21740 21742 2bdb225 std::bad_exception::bad_exception 60 API calls 21741->21742 21743 2bda4b6 21742->21743 21744 2bdca3a 21743->21744 21745 2bdca44 __EH_prolog 21744->21745 21748 2bdb1d4 21745->21748 21747 2bdca73 Mailbox 21747->21738 21749 2bdb1de __EH_prolog 21748->21749 21750 2bdb225 std::bad_exception::bad_exception 60 API calls 21749->21750 21751 2bdb1ef Mailbox 21750->21751 21751->21747 21763 2bd30ae WSASetLastError 21752->21763 21755 2bd30ae 71 API calls 21756 2bd3c90 21755->21756 21757 2bd16ae 21756->21757 21758 2bd16b8 __EH_prolog 21757->21758 21759 2bd1701 21758->21759 21760 2be24d3 std::exception::exception 59 API calls 21758->21760 21759->20605 21761 2bd16dc 21760->21761 21762 2bda499 60 API calls 21761->21762 21762->21759 21764 2bd30ec WSAStringToAddressA 21763->21764 21765 2bd30ce 21763->21765 21767 2bda500 69 API calls 21764->21767 21765->21764 21766 2bd30d3 21765->21766 21769 2be0b10 Mailbox 68 API calls 21766->21769 21768 2bd3114 21767->21768 21770 2bd3154 21768->21770 21775 2bd311e _memcmp 21768->21775 21778 2bd30d8 21769->21778 21771 2bd3135 21770->21771 21776 2be0b10 Mailbox 68 API calls 21770->21776 21772 2bd3193 21771->21772 21773 2be0b10 Mailbox 68 API calls 21771->21773 21777 2be0b10 Mailbox 68 API calls 21772->21777 21772->21778 21773->21772 21774 2be0b10 Mailbox 68 API calls 21774->21771 21775->21771 21775->21774 21776->21771 21777->21778 21778->21755 21778->21756 21780 2bd3bdd __EH_prolog 21779->21780 21781 2bd3bfe htonl htonl 21780->21781 21791 2be24b7 21780->21791 21781->20762 21786 2bd3c20 __EH_prolog 21785->21786 21787 2bd3c41 21786->21787 21788 2be24b7 std::bad_exception::bad_exception 59 API calls 21786->21788 21787->20762 21789 2bd3c35 21788->21789 21790 2bda64e 60 API calls 21789->21790 21790->21787 21792 2be24d3 std::exception::exception 59 API calls 21791->21792 21793 2bd3bf2 21792->21793 21794 2bda64e 21793->21794 21795 2bda658 __EH_prolog 21794->21795 21802 2bdcb71 21795->21802 21799 2bda673 21800 2be455a __CxxThrowException@8 RaiseException 21799->21800 21801 2bda681 21800->21801 21809 2be249c 21802->21809 21805 2bdcbad 21806 2bdcbb7 __EH_prolog 21805->21806 21812 2bdb543 21806->21812 21808 2bdcbe6 Mailbox 21808->21799 21810 2be2513 std::exception::exception 59 API calls 21809->21810 21811 2bda665 21810->21811 21811->21805 21813 2bdb54d __EH_prolog 21812->21813 21814 2be249c std::bad_exception::bad_exception 59 API calls 21813->21814 21815 2bdb55e Mailbox 21814->21815 21815->21808 21817 2bd3755 InterlockedCompareExchange 21816->21817 21818 2bd3770 21816->21818 21817->21818 21819 2bd3765 21817->21819 21820 2be0b10 Mailbox 68 API calls 21818->21820 21821 2bd32ab 78 API calls 21819->21821 21822 2bd3779 21820->21822 21821->21818 21823 2bd29ee 76 API calls 21822->21823 21824 2bd378e 21823->21824 21824->20767 21854 2be36ad 21825->21854 21827 2bd53c8 21827->20777 21828 2be3906 21827->21828 21829 2be3912 __close 21828->21829 21830 2be3948 21829->21830 21831 2be3930 21829->21831 21833 2be3940 __close 21829->21833 21996 2be97f2 21830->21996 21832 2be5e5b __read_nolock 59 API calls 21831->21832 21835 2be3935 21832->21835 21833->20779 21837 2be4ef5 __read_nolock 9 API calls 21835->21837 21837->21833 21842 2be3a90 __close 21841->21842 21843 2be3abc 21842->21843 21844 2be3aa4 21842->21844 21846 2be97f2 __lock_file 60 API calls 21843->21846 21850 2be3ab4 __close 21843->21850 21845 2be5e5b __read_nolock 59 API calls 21844->21845 21847 2be3aa9 21845->21847 21848 2be3ace 21846->21848 21849 2be4ef5 __read_nolock 9 API calls 21847->21849 22023 2be3a18 21848->22023 21849->21850 21850->20777 21857 2be36b9 __close 21854->21857 21855 2be36cb 21856 2be5e5b __read_nolock 59 API calls 21855->21856 21858 2be36d0 21856->21858 21857->21855 21859 2be36f8 21857->21859 21860 2be4ef5 __read_nolock 9 API calls 21858->21860 21873 2be98c8 21859->21873 21868 2be36db __close @_EH4_CallFilterFunc@8 21860->21868 21862 2be36fd 21863 2be3706 21862->21863 21864 2be3713 21862->21864 21865 2be5e5b __read_nolock 59 API calls 21863->21865 21866 2be373c 21864->21866 21867 2be371c 21864->21867 21865->21868 21888 2be99e7 21866->21888 21869 2be5e5b __read_nolock 59 API calls 21867->21869 21868->21827 21869->21868 21874 2be98d4 __close 21873->21874 21875 2be88ee __lock 59 API calls 21874->21875 21885 2be98e2 21875->21885 21876 2be995d 21878 2be8ab5 __malloc_crt 59 API calls 21876->21878 21880 2be9964 21878->21880 21879 2be99d3 __close 21879->21862 21883 2be920c __ioinit InitializeCriticalSectionAndSpinCount 21880->21883 21886 2be9956 21880->21886 21881 2be8976 __mtinitlocknum 59 API calls 21881->21885 21884 2be998a RtlEnterCriticalSection 21883->21884 21884->21886 21885->21876 21885->21881 21885->21886 21908 2be9831 21885->21908 21913 2be989b 21885->21913 21918 2be99de 21886->21918 21896 2be9a04 21888->21896 21889 2be9a18 21890 2be5e5b __read_nolock 59 API calls 21889->21890 21891 2be9a1d 21890->21891 21893 2be4ef5 __read_nolock 9 API calls 21891->21893 21892 2be9c1b 21929 2bf0830 21892->21929 21895 2be3747 21893->21895 21905 2be3769 21895->21905 21896->21889 21904 2be9bbf 21896->21904 21923 2bf084e 21896->21923 21901 2bf097d __openfile 59 API calls 21902 2be9bd7 21901->21902 21903 2bf097d __openfile 59 API calls 21902->21903 21902->21904 21903->21904 21904->21889 21904->21892 21989 2be9861 21905->21989 21907 2be376f 21907->21868 21909 2be983c 21908->21909 21910 2be9852 RtlEnterCriticalSection 21908->21910 21911 2be88ee __lock 59 API calls 21909->21911 21910->21885 21912 2be9845 21911->21912 21912->21885 21914 2be98bc RtlLeaveCriticalSection 21913->21914 21915 2be98a9 21913->21915 21914->21885 21921 2be8a58 RtlLeaveCriticalSection 21915->21921 21917 2be98b9 21917->21885 21922 2be8a58 RtlLeaveCriticalSection 21918->21922 21920 2be99e5 21920->21879 21921->21917 21922->21920 21932 2bf0866 21923->21932 21925 2be9b85 21925->21889 21926 2bf097d 21925->21926 21940 2bf0995 21926->21940 21928 2be9bb8 21928->21901 21928->21904 21947 2bf0719 21929->21947 21931 2bf0849 21931->21895 21933 2bf087b 21932->21933 21934 2bf0874 21932->21934 21935 2be227b _LocaleUpdate::_LocaleUpdate 59 API calls 21933->21935 21934->21925 21936 2bf0888 21935->21936 21936->21934 21937 2be5e5b __read_nolock 59 API calls 21936->21937 21938 2bf08bb 21937->21938 21939 2be4ef5 __read_nolock 9 API calls 21938->21939 21939->21934 21941 2be227b _LocaleUpdate::_LocaleUpdate 59 API calls 21940->21941 21942 2bf09a8 21941->21942 21943 2be5e5b __read_nolock 59 API calls 21942->21943 21946 2bf09bd 21942->21946 21944 2bf09e9 21943->21944 21945 2be4ef5 __read_nolock 9 API calls 21944->21945 21945->21946 21946->21928 21949 2bf0725 __close 21947->21949 21948 2bf073b 21950 2be5e5b __read_nolock 59 API calls 21948->21950 21949->21948 21951 2bf0771 21949->21951 21952 2bf0740 21950->21952 21958 2bf07e2 21951->21958 21954 2be4ef5 __read_nolock 9 API calls 21952->21954 21957 2bf074a __close 21954->21957 21957->21931 21967 2be8237 21958->21967 21960 2bf07f6 21961 2be2f74 _free 59 API calls 21960->21961 21962 2bf078d 21960->21962 21961->21962 21963 2bf07b6 21962->21963 21964 2bf07bc 21963->21964 21965 2bf07e0 21963->21965 21988 2bf102d RtlLeaveCriticalSection 21964->21988 21965->21957 21968 2be825a 21967->21968 21969 2be8244 21967->21969 21968->21969 21971 2be8261 ___crtIsPackagedApp 21968->21971 21970 2be5e5b __read_nolock 59 API calls 21969->21970 21972 2be8249 21970->21972 21974 2be826a AreFileApisANSI 21971->21974 21975 2be8277 MultiByteToWideChar 21971->21975 21973 2be4ef5 __read_nolock 9 API calls 21972->21973 21976 2be8253 21973->21976 21974->21975 21977 2be8274 21974->21977 21978 2be82a2 21975->21978 21979 2be8291 GetLastError 21975->21979 21976->21960 21977->21975 21981 2be8ab5 __malloc_crt 59 API calls 21978->21981 21980 2be5e3a __dosmaperr 59 API calls 21979->21980 21980->21976 21982 2be82aa 21981->21982 21982->21976 21983 2be82b1 MultiByteToWideChar 21982->21983 21983->21976 21984 2be82c7 GetLastError 21983->21984 21985 2be5e3a __dosmaperr 59 API calls 21984->21985 21986 2be82d3 21985->21986 21987 2be2f74 _free 59 API calls 21986->21987 21987->21976 21988->21965 21990 2be988f RtlLeaveCriticalSection 21989->21990 21991 2be9870 21989->21991 21990->21907 21991->21990 21992 2be9877 21991->21992 21995 2be8a58 RtlLeaveCriticalSection 21992->21995 21994 2be988c 21994->21907 21995->21994 21997 2be9824 RtlEnterCriticalSection 21996->21997 21998 2be9802 21996->21998 22001 2be394e 21997->22001 21998->21997 21999 2be980a 21998->21999 22000 2be88ee __lock 59 API calls 21999->22000 22000->22001 22002 2be37ad 22001->22002 22003 2be37da 22002->22003 22006 2be37bc 22002->22006 22014 2be3980 22003->22014 22004 2be37ca 22005 2be5e5b __read_nolock 59 API calls 22004->22005 22007 2be37cf 22005->22007 22006->22003 22006->22004 22013 2be37f4 _memmove 22006->22013 22008 2be4ef5 __read_nolock 9 API calls 22007->22008 22008->22003 22009 2be5f01 __flsbuf 79 API calls 22009->22013 22011 2be9e31 __fclose_nolock 59 API calls 22011->22013 22012 2be9e55 __write 79 API calls 22012->22013 22013->22003 22013->22009 22013->22011 22013->22012 22017 2bea7ef 22013->22017 22015 2be9861 __fsopen 2 API calls 22014->22015 22016 2be3986 22015->22016 22016->21833 22018 2bea802 22017->22018 22019 2bea826 22017->22019 22018->22019 22020 2be9e31 __fclose_nolock 59 API calls 22018->22020 22019->22013 22021 2bea81f 22020->22021 22022 2be9e55 __write 79 API calls 22021->22022 22022->22019 22024 2be3a3b 22023->22024 22025 2be3a27 22023->22025 22026 2be3a37 22024->22026 22028 2bea7ef __flush 79 API calls 22024->22028 22027 2be5e5b __read_nolock 59 API calls 22025->22027 22039 2be3af3 22026->22039 22029 2be3a2c 22027->22029 22030 2be3a47 22028->22030 22031 2be4ef5 __read_nolock 9 API calls 22029->22031 22042 2beb29b 22030->22042 22031->22026 22034 2be9e31 __fclose_nolock 59 API calls 22035 2be3a55 22034->22035 22046 2beb126 22035->22046 22037 2be3a5b 22037->22026 22038 2be2f74 _free 59 API calls 22037->22038 22038->22026 22040 2be9861 __fsopen 2 API calls 22039->22040 22041 2be3af9 22040->22041 22041->21850 22043 2beb2a8 22042->22043 22045 2be3a4f 22042->22045 22044 2be2f74 _free 59 API calls 22043->22044 22043->22045 22044->22045 22045->22034 22047 2beb132 __close 22046->22047 22048 2beb13f 22047->22048 22049 2beb156 22047->22049 22050 2be5e27 __read_nolock 59 API calls 22048->22050 22051 2beb1e1 22049->22051 22053 2beb166 22049->22053 22052 2beb144 22050->22052 22054 2be5e27 __read_nolock 59 API calls 22051->22054 22055 2be5e5b __read_nolock 59 API calls 22052->22055 22056 2beb18e 22053->22056 22057 2beb184 22053->22057 22058 2beb189 22054->22058 22067 2beb14b __close 22055->22067 22060 2bf0c87 ___lock_fhandle 60 API calls 22056->22060 22059 2be5e27 __read_nolock 59 API calls 22057->22059 22061 2be5e5b __read_nolock 59 API calls 22058->22061 22059->22058 22062 2beb194 22060->22062 22065 2beb1ed 22061->22065 22063 2beb1a7 22062->22063 22064 2beb1b2 22062->22064 22072 2beb201 22063->22072 22068 2be5e5b __read_nolock 59 API calls 22064->22068 22069 2be4ef5 __read_nolock 9 API calls 22065->22069 22067->22037 22070 2beb1ad 22068->22070 22069->22067 22087 2beb1d9 22070->22087 22073 2bf0f44 __chsize_nolock 59 API calls 22072->22073 22076 2beb20f 22073->22076 22074 2beb265 22090 2bf0ebe 22074->22090 22076->22074 22077 2beb243 22076->22077 22078 2bf0f44 __chsize_nolock 59 API calls 22076->22078 22077->22074 22079 2bf0f44 __chsize_nolock 59 API calls 22077->22079 22081 2beb23a 22078->22081 22082 2beb24f CloseHandle 22079->22082 22084 2bf0f44 __chsize_nolock 59 API calls 22081->22084 22082->22074 22085 2beb25b GetLastError 22082->22085 22083 2beb28f 22083->22070 22084->22077 22085->22074 22086 2be5e3a __dosmaperr 59 API calls 22086->22083 22099 2bf102d RtlLeaveCriticalSection 22087->22099 22089 2beb1df 22089->22067 22091 2bf0f2a 22090->22091 22092 2bf0eca 22090->22092 22093 2be5e5b __read_nolock 59 API calls 22091->22093 22092->22091 22098 2bf0ef3 22092->22098 22094 2bf0f2f 22093->22094 22095 2be5e27 __read_nolock 59 API calls 22094->22095 22096 2beb26d 22095->22096 22096->22083 22096->22086 22097 2bf0f15 SetStdHandle 22097->22096 22098->22096 22098->22097 22099->22089 22100 2c42f9d 22101 2c49d45 DnsQuery_A 22100->22101 22102 2c4c92f 22101->22102 22103 40285d Sleep 22104 40db72 22103->22104 22105 40d55d RegCreateKeyExA 22106 40d2de CopyFileA 22107 2bdf99e LoadLibraryA 22108 2bdf9c7 GetProcAddress 22107->22108 22109 2bdfa81 22107->22109 22110 2bdfa7a FreeLibrary 22108->22110 22113 2bdf9db 22108->22113 22110->22109 22111 2bdf9ed GetAdaptersInfo 22111->22113 22112 2bdfa75 22112->22110 22113->22111 22113->22112 22114 2be3b4c _Allocate 60 API calls 22113->22114 22114->22113 22115 2c60de5 22116 2c6679d CloseHandle 22115->22116 22117 2c71287 22116->22117 22118 401f64 FindResourceA 22119 401f86 GetLastError SizeofResource 22118->22119 22124 401f9f 22118->22124 22120 401fa6 LoadResource LockResource GlobalAlloc 22119->22120 22119->22124 22121 401fd2 22120->22121 22122 401ffb GetTickCount 22121->22122 22125 402005 GlobalAlloc 22122->22125 22125->22124 22126 4022e4 22127 40226c RegSetValueExA 22126->22127 22129 40d725 22130 40d728 Sleep 22129->22130 22132 40daa0 22130->22132 22132->22132 22133 402226 22134 4022a5 OpenSCManagerA 22133->22134 22135 40da23 22134->22135 22136 2bdf89a CreateFileA 22137 2bdf996 22136->22137 22141 2bdf8cb 22136->22141 22138 2bdf8e3 DeviceIoControl 22138->22141 22139 2bdf98c CloseHandle 22139->22137 22140 2bdf958 GetLastError 22140->22139 22140->22141 22141->22138 22141->22139 22141->22140 22142 2be3b4c _Allocate 60 API calls 22141->22142 22142->22141 22143 40da6a CreateDirectoryA 22144 2bd104d 22145 2be33a4 __cinit 68 API calls 22144->22145 22146 2bd1057 22145->22146 22149 2bd1aa9 InterlockedIncrement 22146->22149 22150 2bd105c 22149->22150 22151 2bd1ac5 WSAStartup InterlockedExchange 22149->22151 22151->22150 22152 402eb0 GetVersion 22176 403ff4 HeapCreate 22152->22176 22154 402f0f 22155 402f14 22154->22155 22156 402f1c 22154->22156 22251 402fcb 22155->22251 22188 403cd4 22156->22188 22159 402f24 GetCommandLineA 22202 403ba2 22159->22202 22164 402f3e 22234 40389c 22164->22234 22166 402f43 22167 402f48 GetStartupInfoA 22166->22167 22247 403844 22167->22247 22169 402f5a GetModuleHandleA 22171 402f7e 22169->22171 22257 4035eb 22171->22257 22177 404014 22176->22177 22178 40404a 22176->22178 22264 403eac 22177->22264 22178->22154 22181 404030 22184 40404d 22181->22184 22186 404c1c 5 API calls 22181->22186 22182 404023 22276 4043cb HeapAlloc 22182->22276 22184->22154 22185 40402d 22185->22184 22187 40403e HeapDestroy 22185->22187 22186->22185 22187->22178 22332 402fef 22188->22332 22191 403cf3 GetStartupInfoA 22194 403e04 22191->22194 22195 403d3f 22191->22195 22196 403e2b GetStdHandle 22194->22196 22198 403e6b SetHandleCount 22194->22198 22195->22194 22197 403db0 22195->22197 22200 402fef 12 API calls 22195->22200 22196->22194 22199 403e39 GetFileType 22196->22199 22197->22194 22201 403dd2 GetFileType 22197->22201 22198->22159 22199->22194 22200->22195 22201->22197 22203 403bf0 22202->22203 22204 403bbd GetEnvironmentStringsW 22202->22204 22206 403bc5 22203->22206 22207 403be1 22203->22207 22205 403bd1 GetEnvironmentStrings 22204->22205 22204->22206 22205->22207 22208 402f34 22205->22208 22209 403c09 WideCharToMultiByte 22206->22209 22210 403bfd GetEnvironmentStringsW 22206->22210 22207->22208 22211 403c83 GetEnvironmentStrings 22207->22211 22212 403c8f 22207->22212 22225 403955 22208->22225 22214 403c3d 22209->22214 22215 403c6f FreeEnvironmentStringsW 22209->22215 22210->22208 22210->22209 22211->22208 22211->22212 22216 402fef 12 API calls 22212->22216 22217 402fef 12 API calls 22214->22217 22215->22208 22223 403caa 22216->22223 22218 403c43 22217->22218 22218->22215 22219 403c4c WideCharToMultiByte 22218->22219 22221 403c66 22219->22221 22222 403c5d 22219->22222 22220 403cc0 FreeEnvironmentStringsA 22220->22208 22221->22215 22224 4030a1 7 API calls 22222->22224 22223->22220 22224->22221 22226 403967 22225->22226 22227 40396c GetModuleFileNameA 22225->22227 22361 4061b4 22226->22361 22229 40398f 22227->22229 22230 402fef 12 API calls 22229->22230 22231 4039b0 22230->22231 22232 4039c0 22231->22232 22233 402fa6 7 API calls 22231->22233 22232->22164 22233->22232 22235 4038a9 22234->22235 22237 4038ae 22234->22237 22236 4061b4 19 API calls 22235->22236 22236->22237 22238 402fef 12 API calls 22237->22238 22239 4038db 22238->22239 22240 402fa6 7 API calls 22239->22240 22246 4038ef 22239->22246 22240->22246 22241 403932 22242 4030a1 7 API calls 22241->22242 22243 40393e 22242->22243 22243->22166 22244 402fef 12 API calls 22244->22246 22245 402fa6 7 API calls 22245->22246 22246->22241 22246->22244 22246->22245 22248 40384d 22247->22248 22250 403852 22247->22250 22249 4061b4 19 API calls 22248->22249 22249->22250 22250->22169 22252 402fd4 22251->22252 22253 402fd9 22251->22253 22254 404224 7 API calls 22252->22254 22255 40425d 7 API calls 22253->22255 22254->22253 22256 402fe2 ExitProcess 22255->22256 22385 40360d 22257->22385 22260 4036c0 22261 4036cc 22260->22261 22262 4037f5 UnhandledExceptionFilter 22261->22262 22263 402f98 22261->22263 22262->22263 22278 402d40 22264->22278 22267 403ed5 22268 403eef GetEnvironmentVariableA 22267->22268 22270 403ee7 22267->22270 22269 403fcc 22268->22269 22272 403f0e 22268->22272 22269->22270 22283 403e7f GetModuleHandleA 22269->22283 22270->22181 22270->22182 22273 403f53 GetModuleFileNameA 22272->22273 22274 403f4b 22272->22274 22273->22274 22274->22269 22280 4061d0 22274->22280 22277 4043e7 22276->22277 22277->22185 22279 402d4c GetVersionExA 22278->22279 22279->22267 22279->22268 22285 4061e7 22280->22285 22284 403e96 22283->22284 22284->22270 22288 4061ff 22285->22288 22287 40622f 22289 4061e3 22287->22289 22290 4053a6 6 API calls 22287->22290 22296 4073ab 22287->22296 22288->22287 22292 4053a6 22288->22292 22289->22269 22290->22287 22293 4053c4 22292->22293 22295 4053b8 22292->22295 22302 40670e 22293->22302 22295->22288 22297 4073d6 22296->22297 22301 4073b9 22296->22301 22298 4073f2 22297->22298 22299 4053a6 6 API calls 22297->22299 22298->22301 22314 406857 22298->22314 22299->22298 22301->22287 22303 40673f GetStringTypeW 22302->22303 22306 406757 22302->22306 22304 40675b GetStringTypeA 22303->22304 22303->22306 22304->22306 22309 406843 22304->22309 22305 4067a6 22305->22309 22310 4067bc MultiByteToWideChar 22305->22310 22306->22305 22307 406782 GetStringTypeA 22306->22307 22307->22309 22309->22295 22310->22309 22311 4067e0 22310->22311 22311->22309 22312 40681a MultiByteToWideChar 22311->22312 22312->22309 22313 406833 GetStringTypeW 22312->22313 22313->22309 22315 406887 LCMapStringW 22314->22315 22316 4068a3 22314->22316 22315->22316 22317 4068ab LCMapStringA 22315->22317 22319 406909 22316->22319 22320 4068ec LCMapStringA 22316->22320 22317->22316 22318 4069e5 22317->22318 22318->22301 22319->22318 22321 40691f MultiByteToWideChar 22319->22321 22320->22318 22321->22318 22322 406949 22321->22322 22322->22318 22323 40697f MultiByteToWideChar 22322->22323 22323->22318 22324 406998 LCMapStringW 22323->22324 22324->22318 22325 4069b3 22324->22325 22326 4069b9 22325->22326 22328 4069f9 22325->22328 22326->22318 22327 4069c7 LCMapStringW 22326->22327 22327->22318 22328->22318 22329 406a31 LCMapStringW 22328->22329 22329->22318 22330 406a49 WideCharToMultiByte 22329->22330 22330->22318 22333 403001 12 API calls 22332->22333 22334 402ffe 22333->22334 22334->22191 22335 402fa6 22334->22335 22336 402fb4 22335->22336 22337 402faf 22335->22337 22347 40425d 22336->22347 22341 404224 22337->22341 22342 40422e 22341->22342 22343 40425b 22342->22343 22344 40425d 7 API calls 22342->22344 22343->22336 22345 404245 22344->22345 22346 40425d 7 API calls 22345->22346 22346->22343 22350 404270 22347->22350 22348 402fbd 22348->22191 22349 404387 22353 40439a GetStdHandle WriteFile 22349->22353 22350->22348 22350->22349 22351 4042b0 22350->22351 22351->22348 22352 4042bc GetModuleFileNameA 22351->22352 22354 4042d4 22352->22354 22353->22348 22356 406578 22354->22356 22357 406585 LoadLibraryA 22356->22357 22360 4065c7 22356->22360 22358 406596 GetProcAddress 22357->22358 22357->22360 22359 4065ad GetProcAddress GetProcAddress 22358->22359 22358->22360 22359->22360 22360->22348 22362 4061bd 22361->22362 22364 4061c4 22361->22364 22365 405df0 22362->22365 22364->22227 22372 405f89 22365->22372 22367 405f7d 22367->22364 22369 405e33 GetCPInfo 22371 405e47 22369->22371 22371->22367 22377 40602f GetCPInfo 22371->22377 22373 405fa9 22372->22373 22374 405f99 GetOEMCP 22372->22374 22375 405e01 22373->22375 22376 405fae GetACP 22373->22376 22374->22373 22375->22367 22375->22369 22375->22371 22376->22375 22378 406052 22377->22378 22384 40611a 22377->22384 22379 40670e 6 API calls 22378->22379 22380 4060ce 22379->22380 22381 406857 9 API calls 22380->22381 22382 4060f2 22381->22382 22383 406857 9 API calls 22382->22383 22383->22384 22384->22367 22386 403619 GetCurrentProcess TerminateProcess 22385->22386 22387 40362a 22385->22387 22386->22387 22388 402f87 22387->22388 22389 403694 ExitProcess 22387->22389 22388->22260 22390 4026b3 22391 4026b9 22390->22391 22392 40da93 Sleep 22391->22392 22393 40daa0 22392->22393 22393->22393 22394 2bd648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 22395 2bd64f3 GetTickCount 22394->22395 22472 2bd42c7 22394->22472 22473 2bd605a 22395->22473 22474 2be2fac _malloc 59 API calls 22473->22474 22475 2bd606d 22474->22475 22476 4025b7 RegCloseKey 22477 4025bd 22476->22477 22478 40217d RegOpenKeyExA 22479 40218b 22478->22479 22480 4022bd 22481 40d535 VirtualAlloc 22480->22481

                                                                              Executed Functions

                                                                              Function 02BD72AB Relevance: 75.9, APIs: 29, Strings: 14, Instructions: 659networksleepfileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 2bd72ab-2bd72c3 InternetOpenA 1 2bd7389-2bd738f 0->1 2 2bd72c9-2bd731d InternetSetOptionA * 3 call 2be4af0 0->2 4 2bd73ab-2bd73b9 1->4 5 2bd7391-2bd7397 1->5 10 2bd7322-2bd7340 InternetOpenUrlA 2->10 8 2bd73bf-2bd73e3 call 2be4af0 call 2bd439c 4->8 9 2bd66f4-2bd66f6 4->9 6 2bd739d-2bd73aa call 2bd53ec 5->6 7 2bd7399-2bd739b 5->7 6->4 7->4 8->9 31 2bd73e9-2bd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2be233c 8->31 13 2bd66ff-2bd6701 9->13 14 2bd66f8-2bd66fd 9->14 15 2bd7382-2bd7383 InternetCloseHandle 10->15 16 2bd7342 10->16 19 2bd670e-2bd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 13->19 20 2bd6703 13->20 21 2bd6708 Sleep 14->21 15->1 22 2bd7346-2bd736c InternetReadFile 16->22 26 2bd6744-2bd6750 19->26 27 2bd6792 19->27 20->21 21->19 24 2bd736e-2bd7375 22->24 25 2bd7377-2bd737e InternetCloseHandle 22->25 24->22 25->15 26->27 30 2bd6752-2bd675f 26->30 28 2bd6796 27->28 28->0 32 2bd6767-2bd6768 30->32 33 2bd6761-2bd6765 30->33 39 2bd746d-2bd7488 call 2be233c 31->39 40 2bd7419-2bd742b call 2be233c 31->40 35 2bd676c-2bd6790 call 2be4af0 * 2 32->35 33->35 35->28 48 2bd748e-2bd7490 39->48 49 2bd7742-2bd7754 call 2be233c 39->49 40->39 47 2bd742d-2bd743f call 2be233c 40->47 47->39 56 2bd7441-2bd7453 call 2be233c 47->56 48->49 51 2bd7496-2bd7548 call 2be2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2be4af0 * 5 call 2bd439c * 2 48->51 58 2bd779d-2bd77a6 call 2be233c 49->58 59 2bd7756-2bd7758 49->59 115 2bd754a-2bd754c 51->115 116 2bd7585 51->116 56->39 70 2bd7455-2bd7467 call 2be233c 56->70 67 2bd77ab-2bd77af 58->67 59->58 61 2bd775a-2bd7798 call 2be4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 59->61 61->9 71 2bd77b1-2bd77bf call 2bd61f5 call 2bd6303 67->71 72 2bd77d0-2bd77e2 call 2be233c 67->72 70->9 70->39 87 2bd77c4-2bd77cb call 2bd640e 71->87 81 2bd77e8-2bd77ea 72->81 82 2bd7b00-2bd7b12 call 2be233c 72->82 81->82 85 2bd77f0-2bd7807 call 2bd439c 81->85 82->9 96 2bd7b18-2bd7b46 call 2be2fac call 2be4af0 call 2bd439c 82->96 85->9 97 2bd780d-2bd78db call 2be2418 call 2bd1ba7 85->97 87->9 117 2bd7b4f-2bd7b56 call 2be2f74 96->117 118 2bd7b48-2bd7b4a call 2bd534d 96->118 113 2bd78dd call 2bd143f 97->113 114 2bd78e2-2bd7903 RtlEnterCriticalSection 97->114 113->114 121 2bd790f-2bd7945 RtlLeaveCriticalSection call 2bd3c67 call 2bd3d7e 114->121 122 2bd7905-2bd790c 114->122 115->116 123 2bd754e-2bd7560 call 2be233c 115->123 119 2bd7589-2bd75b7 call 2be2fac call 2be4af0 call 2bd439c 116->119 117->9 118->117 146 2bd75b9-2bd75c8 call 2be35e6 119->146 147 2bd75f8-2bd7601 call 2be2f74 119->147 136 2bd794a-2bd7967 call 2bd8332 121->136 122->121 123->116 134 2bd7562-2bd7583 call 2bd439c 123->134 134->119 142 2bd796c-2bd7973 136->142 144 2bd7979-2bd79b3 call 2bda71c 142->144 145 2bd7ae7-2bd7afb call 2bd8ffa 142->145 152 2bd79b8-2bd79c1 144->152 145->9 146->147 156 2bd75ca 146->156 159 2bd7738-2bd773b 147->159 160 2bd7607-2bd761f call 2be3b4c 147->160 157 2bd79c7-2bd79ce 152->157 158 2bd7ab1-2bd7ae2 call 2bd83e1 call 2bd33b2 152->158 161 2bd75cf-2bd75e1 call 2be2850 156->161 163 2bd79d1-2bd79d6 157->163 158->145 159->49 172 2bd762b 160->172 173 2bd7621-2bd7629 call 2bd972e 160->173 175 2bd75e6-2bd75f6 call 2be35e6 161->175 176 2bd75e3 161->176 163->163 167 2bd79d8-2bd7a15 call 2bda71c 163->167 177 2bd7a1a-2bd7a23 167->177 174 2bd762d-2bd7661 call 2bda846 call 2bd3863 172->174 173->174 188 2bd7666-2bd7682 call 2bd5119 174->188 175->147 175->161 176->175 177->158 182 2bd7a29-2bd7a2f 177->182 185 2bd7a32-2bd7a37 182->185 185->185 187 2bd7a39-2bd7a74 call 2bda71c 185->187 187->158 192 2bd7a76-2bd7aaa call 2bdd10e 187->192 193 2bd7687-2bd76b8 call 2bd3863 call 2bdaaec 188->193 196 2bd7aaf-2bd7ab0 192->196 199 2bd76bd-2bd76cf call 2bdac06 193->199 196->158 201 2bd76d4-2bd76e5 199->201 202 2bd76ec-2bd76fb Sleep 201->202 203 2bd76e7 call 2bd380b 201->203 205 2bd7703-2bd7717 call 2be18f0 202->205 203->202 207 2bd7719-2bd7722 call 2bd4100 205->207 208 2bd7723-2bd7731 205->208 207->208 208->159 210 2bd7733 call 2bd380b 208->210 210->159
                                                                              APIs
                                                                              • Sleep.KERNEL32(0000EA60), ref: 02BD6708
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD6713
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD6724
                                                                              • InternetOpenA.WININET(?), ref: 02BD72B5
                                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02BD72DD
                                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02BD72F5
                                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02BD730D
                                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02BD7336
                                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02BD7358
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02BD7378
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02BD7383
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD73EE
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD73FF
                                                                              • _malloc.LIBCMT ref: 02BD7498
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD74AA
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD74B6
                                                                              • _malloc.LIBCMT ref: 02BD758E
                                                                              • _strtok.LIBCMT ref: 02BD75BF
                                                                              • _swscanf.LIBCMT ref: 02BD75D6
                                                                              • _strtok.LIBCMT ref: 02BD75ED
                                                                              • _free.LIBCMT ref: 02BD75F9
                                                                              • Sleep.KERNEL32(000007D0), ref: 02BD76F1
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD7772
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD7784
                                                                              • _sprintf.LIBCMT ref: 02BD7822
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BD78E6
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BD791A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                              • String ID: $%d;$0m~$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                              • API String ID: 1657546717-442527510
                                                                              • Opcode ID: 8738f912489ac722792ac4de68aa8625a80e513ac4f2115143e1fb8c268c2d3f
                                                                              • Instruction ID: 5de2e2ccc8c5bd0ee3bed59617dc43818a05b0be8e0bc99d2eff74d0bf0081ff
                                                                              • Opcode Fuzzy Hash: 8738f912489ac722792ac4de68aa8625a80e513ac4f2115143e1fb8c268c2d3f
                                                                              • Instruction Fuzzy Hash: E632F2315483819FE734AB24D844BEFBBE9EF85314F1448ADF58A97291EB70A508CF52
                                                                              Function 02BD648B Relevance: 70.2, APIs: 34, Strings: 6, Instructions: 228memorysleeplibraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 502 2bd648b-2bd64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 503 2bd64f3-2bd66f1 GetTickCount call 2bd605a GetVersionExA call 2be4af0 call 2be2fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2be4af0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2be2fac * 4 QueryPerformanceCounter Sleep call 2be2fac * 2 call 2be4af0 * 2 502->503 504 2bd64ee call 2bd42c7 502->504 547 2bd66f4-2bd66f6 503->547 504->503 548 2bd66ff-2bd6701 547->548 549 2bd66f8-2bd66fd 547->549 550 2bd670e-2bd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 548->550 551 2bd6703 548->551 552 2bd6708 Sleep 549->552 553 2bd6744-2bd6750 550->553 554 2bd6792 550->554 551->552 552->550 553->554 556 2bd6752-2bd675f 553->556 555 2bd6796-2bd72c3 InternetOpenA 554->555 560 2bd7389-2bd738f 555->560 561 2bd72c9-2bd7340 InternetSetOptionA * 3 call 2be4af0 InternetOpenUrlA 555->561 558 2bd6767-2bd6768 556->558 559 2bd6761-2bd6765 556->559 562 2bd676c-2bd6790 call 2be4af0 * 2 558->562 559->562 565 2bd73ab-2bd73b9 560->565 566 2bd7391-2bd7397 560->566 575 2bd7382-2bd7383 InternetCloseHandle 561->575 576 2bd7342 561->576 562->555 565->547 570 2bd73bf-2bd73e3 call 2be4af0 call 2bd439c 565->570 567 2bd739d-2bd73aa call 2bd53ec 566->567 568 2bd7399-2bd739b 566->568 567->565 568->565 570->547 585 2bd73e9-2bd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2be233c 570->585 575->560 580 2bd7346-2bd736c InternetReadFile 576->580 582 2bd736e-2bd7375 580->582 583 2bd7377-2bd737e InternetCloseHandle 580->583 582->580 583->575 588 2bd746d-2bd7488 call 2be233c 585->588 589 2bd7419-2bd742b call 2be233c 585->589 595 2bd748e-2bd7490 588->595 596 2bd7742-2bd7754 call 2be233c 588->596 589->588 594 2bd742d-2bd743f call 2be233c 589->594 594->588 603 2bd7441-2bd7453 call 2be233c 594->603 595->596 598 2bd7496-2bd7548 call 2be2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2be4af0 * 5 call 2bd439c * 2 595->598 605 2bd779d-2bd77af call 2be233c 596->605 606 2bd7756-2bd7758 596->606 662 2bd754a-2bd754c 598->662 663 2bd7585 598->663 603->588 617 2bd7455-2bd7467 call 2be233c 603->617 618 2bd77b1-2bd77bf call 2bd61f5 call 2bd6303 605->618 619 2bd77d0-2bd77e2 call 2be233c 605->619 606->605 608 2bd775a-2bd7798 call 2be4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 606->608 608->547 617->547 617->588 634 2bd77c4-2bd77cb call 2bd640e 618->634 628 2bd77e8-2bd77ea 619->628 629 2bd7b00-2bd7b12 call 2be233c 619->629 628->629 632 2bd77f0-2bd7807 call 2bd439c 628->632 629->547 643 2bd7b18-2bd7b46 call 2be2fac call 2be4af0 call 2bd439c 629->643 632->547 644 2bd780d-2bd78db call 2be2418 call 2bd1ba7 632->644 634->547 664 2bd7b4f-2bd7b56 call 2be2f74 643->664 665 2bd7b48-2bd7b4a call 2bd534d 643->665 660 2bd78dd call 2bd143f 644->660 661 2bd78e2-2bd7903 RtlEnterCriticalSection 644->661 660->661 668 2bd790f-2bd7973 RtlLeaveCriticalSection call 2bd3c67 call 2bd3d7e call 2bd8332 661->668 669 2bd7905-2bd790c 661->669 662->663 670 2bd754e-2bd7560 call 2be233c 662->670 666 2bd7589-2bd75b7 call 2be2fac call 2be4af0 call 2bd439c 663->666 664->547 665->664 693 2bd75b9-2bd75c8 call 2be35e6 666->693 694 2bd75f8-2bd7601 call 2be2f74 666->694 691 2bd7979-2bd79c1 call 2bda71c 668->691 692 2bd7ae7-2bd7afb call 2bd8ffa 668->692 669->668 670->663 681 2bd7562-2bd7583 call 2bd439c 670->681 681->666 704 2bd79c7-2bd79ce 691->704 705 2bd7ab1-2bd7ae2 call 2bd83e1 call 2bd33b2 691->705 692->547 693->694 703 2bd75ca 693->703 706 2bd7738-2bd773b 694->706 707 2bd7607-2bd761f call 2be3b4c 694->707 708 2bd75cf-2bd75e1 call 2be2850 703->708 710 2bd79d1-2bd79d6 704->710 705->692 706->596 719 2bd762b 707->719 720 2bd7621-2bd7629 call 2bd972e 707->720 722 2bd75e6-2bd75f6 call 2be35e6 708->722 723 2bd75e3 708->723 710->710 714 2bd79d8-2bd7a23 call 2bda71c 710->714 714->705 729 2bd7a29-2bd7a2f 714->729 721 2bd762d-2bd76cf call 2bda846 call 2bd3863 call 2bd5119 call 2bd3863 call 2bdaaec call 2bdac06 719->721 720->721 748 2bd76d4-2bd76e5 721->748 722->694 722->708 723->722 732 2bd7a32-2bd7a37 729->732 732->732 734 2bd7a39-2bd7a74 call 2bda71c 732->734 734->705 739 2bd7a76-2bd7aaa call 2bdd10e 734->739 743 2bd7aaf-2bd7ab0 739->743 743->705 749 2bd76ec-2bd7717 Sleep call 2be18f0 748->749 750 2bd76e7 call 2bd380b 748->750 754 2bd7719-2bd7722 call 2bd4100 749->754 755 2bd7723-2bd7731 749->755 750->749 754->755 755->706 757 2bd7733 call 2bd380b 755->757 757->706
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.NTDLL(02C071E0), ref: 02BD64BA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02BD64D1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02BD64DA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02BD64E9
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02BD64EC
                                                                              • GetTickCount.KERNEL32 ref: 02BD64F8
                                                                                • Part of subcall function 02BD605A: _malloc.LIBCMT ref: 02BD6068
                                                                              • GetVersionExA.KERNEL32(02C07038), ref: 02BD6525
                                                                              • _malloc.LIBCMT ref: 02BD6551
                                                                                • Part of subcall function 02BE2FAC: __FF_MSGBANNER.LIBCMT ref: 02BE2FC3
                                                                                • Part of subcall function 02BE2FAC: __NMSG_WRITE.LIBCMT ref: 02BE2FCA
                                                                                • Part of subcall function 02BE2FAC: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 02BE2FEF
                                                                              • _malloc.LIBCMT ref: 02BD6561
                                                                              • _malloc.LIBCMT ref: 02BD656C
                                                                              • _malloc.LIBCMT ref: 02BD6577
                                                                              • _malloc.LIBCMT ref: 02BD6582
                                                                              • _malloc.LIBCMT ref: 02BD658D
                                                                              • _malloc.LIBCMT ref: 02BD6598
                                                                              • _malloc.LIBCMT ref: 02BD65A7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02BD65BE
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02BD65C7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BD65D6
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02BD65D9
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BD65E4
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02BD65E7
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD6621
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD662E
                                                                              • _malloc.LIBCMT ref: 02BD6652
                                                                              • _malloc.LIBCMT ref: 02BD6660
                                                                              • _malloc.LIBCMT ref: 02BD6667
                                                                              • _malloc.LIBCMT ref: 02BD668D
                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02BD66A0
                                                                              • Sleep.KERNEL32 ref: 02BD66AE
                                                                              • _malloc.LIBCMT ref: 02BD66BA
                                                                              • _malloc.LIBCMT ref: 02BD66C7
                                                                              • Sleep.KERNEL32(0000EA60), ref: 02BD6708
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD6713
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD6724
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$]-X$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 4273019447-2597084616
                                                                              • Opcode ID: 9a4e2ac71708be551941017b091e82c16de24b8007553742dbc1c825f482ca26
                                                                              • Instruction ID: 64be51d290f5647cc857a5454f31c813f2da1f02a74f8cd92dbdc3dc93cff9eb
                                                                              • Opcode Fuzzy Hash: 9a4e2ac71708be551941017b091e82c16de24b8007553742dbc1c825f482ca26
                                                                              • Instruction Fuzzy Hash: 5171B7B1D48340AFE7106F74AC49B5BBBE9AF89350F100C9DFA8597280DBB45814DF96
                                                                              Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 861 401b4b-401b68 LoadLibraryA 862 401c21-401c25 861->862 863 401b6e-401b7f GetProcAddress 861->863 864 401b85-401b8e 863->864 865 401c18-401c1b FreeLibrary 863->865 866 401b95-401ba5 GetAdaptersInfo 864->866 865->862 867 401ba7-401bb0 866->867 868 401bdb-401be3 866->868 871 401bc1-401bd7 call 402cc0 call 4018cc 867->871 872 401bb2-401bb6 867->872 869 401be5-401beb call 402ca6 868->869 870 401bec-401bf0 868->870 869->870 875 401bf2-401bf6 870->875 876 401c15-401c17 870->876 871->868 872->868 877 401bb8-401bbf 872->877 875->876 880 401bf8-401bfb 875->880 876->865 877->871 877->872 882 401c06-401c13 call 402c98 880->882 883 401bfd-401c03 880->883 882->866 882->876 883->882
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                              • API String ID: 514930453-3667123677
                                                                              • Opcode ID: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                              • Instruction ID: 38440359ad4724572ca0372a4bc8090c683b298b5ffde01d95b1867a6a9b844d
                                                                              • Opcode Fuzzy Hash: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                              • Instruction Fuzzy Hash: F921B870904109AFEF119F65C9447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                              Function 02BDF99E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 935 2bdf99e-2bdf9c1 LoadLibraryA 936 2bdf9c7-2bdf9d5 GetProcAddress 935->936 937 2bdfa81-2bdfa88 935->937 938 2bdf9db-2bdf9eb 936->938 939 2bdfa7a-2bdfa7b FreeLibrary 936->939 940 2bdf9ed-2bdf9f9 GetAdaptersInfo 938->940 939->937 941 2bdf9fb 940->941 942 2bdfa31-2bdfa39 940->942 943 2bdf9fd-2bdfa04 941->943 944 2bdfa3b-2bdfa41 call 2be37a8 942->944 945 2bdfa42-2bdfa47 942->945 949 2bdfa0e-2bdfa16 943->949 950 2bdfa06-2bdfa0a 943->950 944->945 947 2bdfa49-2bdfa4c 945->947 948 2bdfa75-2bdfa79 945->948 947->948 952 2bdfa4e-2bdfa53 947->952 948->939 954 2bdfa19-2bdfa1e 949->954 950->943 953 2bdfa0c 950->953 955 2bdfa55-2bdfa5d 952->955 956 2bdfa60-2bdfa6b call 2be3b4c 952->956 953->942 954->954 957 2bdfa20-2bdfa2d call 2bdf6ed 954->957 955->956 956->948 962 2bdfa6d-2bdfa70 956->962 957->942 962->940
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02BDF9B4
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BDF9CD
                                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02BDF9F2
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 02BDFA7B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                              • API String ID: 514930453-3114217049
                                                                              • Opcode ID: b873d968b2bb99e399ac9e60026f987c94cde51f962d4e5926d1b78d55918373
                                                                              • Instruction ID: 0c92b6f6511aa686b9172c5ede0c69b631da944f7cb8a20f463b5f01130ed5d4
                                                                              • Opcode Fuzzy Hash: b873d968b2bb99e399ac9e60026f987c94cde51f962d4e5926d1b78d55918373
                                                                              • Instruction Fuzzy Hash: 0A218775E08209AFDB10DBB8D884AFEBBF9EF05354F1440E5D516E7611EB308945CBA0
                                                                              Function 02BDF89A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1020 2bdf89a-2bdf8c5 CreateFileA 1021 2bdf8cb-2bdf8e0 1020->1021 1022 2bdf996-2bdf99d 1020->1022 1023 2bdf8e3-2bdf905 DeviceIoControl 1021->1023 1024 2bdf93e-2bdf946 1023->1024 1025 2bdf907-2bdf90f 1023->1025 1028 2bdf94f-2bdf951 1024->1028 1029 2bdf948-2bdf94e call 2be37a8 1024->1029 1026 2bdf918-2bdf91d 1025->1026 1027 2bdf911-2bdf916 1025->1027 1026->1024 1032 2bdf91f-2bdf927 1026->1032 1027->1024 1030 2bdf98c-2bdf995 CloseHandle 1028->1030 1031 2bdf953-2bdf956 1028->1031 1029->1028 1030->1022 1034 2bdf958-2bdf961 GetLastError 1031->1034 1035 2bdf972-2bdf97f call 2be3b4c 1031->1035 1036 2bdf92a-2bdf92f 1032->1036 1034->1030 1038 2bdf963-2bdf966 1034->1038 1035->1030 1044 2bdf981-2bdf987 1035->1044 1036->1036 1040 2bdf931-2bdf93d call 2bdf6ed 1036->1040 1038->1035 1041 2bdf968-2bdf96f 1038->1041 1040->1024 1041->1035 1044->1023
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02BDF8B9
                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02BDF8F7
                                                                              • GetLastError.KERNEL32 ref: 02BDF958
                                                                              • CloseHandle.KERNEL32(?), ref: 02BDF98F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: de31b5ed968a331fbf1e55ddc77f2300621fd3975631974eaf158d7699145cde
                                                                              • Instruction ID: db7c8e1bda3dcc1aa8c6004ac7e7191c1f3951c4555f3420a71d5471b18a113a
                                                                              • Opcode Fuzzy Hash: de31b5ed968a331fbf1e55ddc77f2300621fd3975631974eaf158d7699145cde
                                                                              • Instruction Fuzzy Hash: 3E31C371D04219BBDB24CF94C884AFEBBB9FF04754F2041EAE606A3640EB749A05CB90
                                                                              Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1046 401a4f-401a77 CreateFileA 1047 401b45-401b4a 1046->1047 1048 401a7d-401a91 1046->1048 1049 401a98-401ac0 DeviceIoControl 1048->1049 1050 401ac2-401aca 1049->1050 1051 401af3-401afb 1049->1051 1052 401ad4-401ad9 1050->1052 1053 401acc-401ad2 1050->1053 1054 401b04-401b07 1051->1054 1055 401afd-401b03 call 402ca6 1051->1055 1052->1051 1056 401adb-401af1 call 402cc0 call 4018cc 1052->1056 1053->1051 1058 401b09-401b0c 1054->1058 1059 401b3a-401b44 CloseHandle 1054->1059 1055->1054 1056->1051 1062 401b27-401b34 call 402c98 1058->1062 1063 401b0e-401b17 GetLastError 1058->1063 1059->1047 1062->1049 1062->1059 1063->1059 1064 401b19-401b1c 1063->1064 1064->1062 1067 401b1e-401b24 1064->1067 1067->1062
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                              • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                                              • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                              • Instruction ID: fc4aaa1cf60edb7db06fdbd05dea25136cd7d186831ecbc7bbbcf924abbffa34
                                                                              • Opcode Fuzzy Hash: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                              • Instruction Fuzzy Hash: 74318B71D00218EADB21AFA5CD849EFBBB9FF41750F20407AE554B32A0E7785E45CB98
                                                                              Function 02BD63C6 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 379COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 213 2bd63c6-2bd63c8 214 2bd643d-2bd643e 213->214 215 2bd63ca-2bd63d1 213->215 218 2bd63db-2bd63de 214->218 219 2bd6440 214->219 216 2bd641c-2bd643c 215->216 217 2bd63d3-2bd63d7 215->217 216->214 223 2bd6490-2bd6491 216->223 217->219 220 2bd63d9 217->220 221 2bd63f7-2bd640d 218->221 222 2bd63e0 218->222 224 2bd6441-2bd644c 219->224 220->218 226 2bd6363-2bd6368 220->226 222->224 227 2bd63e2-2bd63ec 222->227 225 2bd6492-2bd66f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2bd42c7 GetTickCount call 2bd605a GetVersionExA call 2be4af0 call 2be2fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2be4af0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2be2fac * 4 QueryPerformanceCounter Sleep call 2be2fac * 2 call 2be4af0 * 2 223->225 228 2bd644e-2bd645e 224->228 229 2bd6460-2bd646b 224->229 289 2bd66f4-2bd66f6 225->289 231 2bd636a-2bd6385 226->231 232 2bd6395-2bd6397 226->232 227->221 228->229 229->225 230 2bd646d-2bd648a 229->230 235 2bd6327-2bd632c 231->235 236 2bd6387-2bd6394 231->236 237 2bd6398-2bd639d 232->237 238 2bd6334-2bd635b 232->238 239 2bd632d-2bd632e 235->239 236->232 237->239 241 2bd63a0-2bd63ad 237->241 238->226 239->238 243 2bd63af-2bd63b6 241->243 245 2bd63b8-2bd63bc 243->245 246 2bd63c1-2bd63c2 243->246 245->243 248 2bd63be 245->248 246->213 248->246 290 2bd66ff-2bd6701 289->290 291 2bd66f8-2bd66fd 289->291 292 2bd670e-2bd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 290->292 293 2bd6703 290->293 294 2bd6708 Sleep 291->294 295 2bd6744-2bd6750 292->295 296 2bd6792 292->296 293->294 294->292 295->296 298 2bd6752-2bd675f 295->298 297 2bd6796-2bd72c3 InternetOpenA 296->297 302 2bd7389-2bd738f 297->302 303 2bd72c9-2bd7340 InternetSetOptionA * 3 call 2be4af0 InternetOpenUrlA 297->303 300 2bd6767-2bd6768 298->300 301 2bd6761-2bd6765 298->301 304 2bd676c-2bd6790 call 2be4af0 * 2 300->304 301->304 307 2bd73ab-2bd73b9 302->307 308 2bd7391-2bd7397 302->308 317 2bd7382-2bd7383 InternetCloseHandle 303->317 318 2bd7342 303->318 304->297 307->289 312 2bd73bf-2bd73e3 call 2be4af0 call 2bd439c 307->312 309 2bd739d-2bd73aa call 2bd53ec 308->309 310 2bd7399-2bd739b 308->310 309->307 310->307 312->289 327 2bd73e9-2bd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2be233c 312->327 317->302 322 2bd7346-2bd736c InternetReadFile 318->322 324 2bd736e-2bd7375 322->324 325 2bd7377-2bd737e InternetCloseHandle 322->325 324->322 325->317 330 2bd746d-2bd7488 call 2be233c 327->330 331 2bd7419-2bd742b call 2be233c 327->331 337 2bd748e-2bd7490 330->337 338 2bd7742-2bd7754 call 2be233c 330->338 331->330 336 2bd742d-2bd743f call 2be233c 331->336 336->330 345 2bd7441-2bd7453 call 2be233c 336->345 337->338 340 2bd7496-2bd7548 call 2be2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2be4af0 * 5 call 2bd439c * 2 337->340 347 2bd779d-2bd77af call 2be233c 338->347 348 2bd7756-2bd7758 338->348 404 2bd754a-2bd754c 340->404 405 2bd7585 340->405 345->330 359 2bd7455-2bd7467 call 2be233c 345->359 360 2bd77b1-2bd77cb call 2bd61f5 call 2bd6303 call 2bd640e 347->360 361 2bd77d0-2bd77e2 call 2be233c 347->361 348->347 350 2bd775a-2bd7798 call 2be4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 348->350 350->289 359->289 359->330 360->289 370 2bd77e8-2bd77ea 361->370 371 2bd7b00-2bd7b12 call 2be233c 361->371 370->371 374 2bd77f0-2bd7807 call 2bd439c 370->374 371->289 385 2bd7b18-2bd7b46 call 2be2fac call 2be4af0 call 2bd439c 371->385 374->289 386 2bd780d-2bd78db call 2be2418 call 2bd1ba7 374->386 406 2bd7b4f-2bd7b56 call 2be2f74 385->406 407 2bd7b48-2bd7b4a call 2bd534d 385->407 402 2bd78dd call 2bd143f 386->402 403 2bd78e2-2bd7903 RtlEnterCriticalSection 386->403 402->403 410 2bd790f-2bd7973 RtlLeaveCriticalSection call 2bd3c67 call 2bd3d7e call 2bd8332 403->410 411 2bd7905-2bd790c 403->411 404->405 412 2bd754e-2bd7560 call 2be233c 404->412 408 2bd7589-2bd75b7 call 2be2fac call 2be4af0 call 2bd439c 405->408 406->289 407->406 435 2bd75b9-2bd75c8 call 2be35e6 408->435 436 2bd75f8-2bd7601 call 2be2f74 408->436 433 2bd7979-2bd79c1 call 2bda71c 410->433 434 2bd7ae7-2bd7afb call 2bd8ffa 410->434 411->410 412->405 423 2bd7562-2bd7583 call 2bd439c 412->423 423->408 446 2bd79c7-2bd79ce 433->446 447 2bd7ab1-2bd7ae2 call 2bd83e1 call 2bd33b2 433->447 434->289 435->436 445 2bd75ca 435->445 448 2bd7738-2bd773b 436->448 449 2bd7607-2bd761f call 2be3b4c 436->449 450 2bd75cf-2bd75e1 call 2be2850 445->450 452 2bd79d1-2bd79d6 446->452 447->434 448->338 461 2bd762b 449->461 462 2bd7621-2bd7629 call 2bd972e 449->462 464 2bd75e6-2bd75f6 call 2be35e6 450->464 465 2bd75e3 450->465 452->452 456 2bd79d8-2bd7a23 call 2bda71c 452->456 456->447 471 2bd7a29-2bd7a2f 456->471 463 2bd762d-2bd76e5 call 2bda846 call 2bd3863 call 2bd5119 call 2bd3863 call 2bdaaec call 2bdac06 461->463 462->463 491 2bd76ec-2bd7717 Sleep call 2be18f0 463->491 492 2bd76e7 call 2bd380b 463->492 464->436 464->450 465->464 474 2bd7a32-2bd7a37 471->474 474->474 476 2bd7a39-2bd7a74 call 2bda71c 474->476 476->447 481 2bd7a76-2bd7ab0 call 2bdd10e 476->481 481->447 496 2bd7719-2bd7722 call 2bd4100 491->496 497 2bd7723-2bd7731 491->497 492->491 496->497 497->448 499 2bd7733 call 2bd380b 497->499 499->448
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$]-X$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 0-2597084616
                                                                              • Opcode ID: b52b5e64ba7d0b1bff0e441a25f4e1335f50cdc53f0b70e8e0fae0096eba5ad8
                                                                              • Instruction ID: a5836077f8e39dbf7a891c07d21270c7f4eead96024be0e7911d14b5a9f0702f
                                                                              • Opcode Fuzzy Hash: b52b5e64ba7d0b1bff0e441a25f4e1335f50cdc53f0b70e8e0fae0096eba5ad8
                                                                              • Instruction Fuzzy Hash: F6C16BB19483809FE711AF34AC45B9BBFE8EF85320F1408EEF5859B281DB745815CB96
                                                                              Function 02BD1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BD1D11
                                                                              • GetLastError.KERNEL32 ref: 02BD1D23
                                                                                • Part of subcall function 02BD1712: __EH_prolog.LIBCMT ref: 02BD1717
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BD1D59
                                                                              • GetLastError.KERNEL32 ref: 02BD1D6B
                                                                              • __beginthreadex.LIBCMT ref: 02BD1DB1
                                                                              • GetLastError.KERNEL32 ref: 02BD1DC6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BD1DDD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BD1DEC
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02BD1E14
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BD1E1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                              • API String ID: 831262434-3017686385
                                                                              • Opcode ID: 9cfded6aa0e1b4390045163c956e7fbc9a88369900cc208a02e52c813e173b0b
                                                                              • Instruction ID: db3e6468579d2f4ba6512330f14707cf1b57213c84ab654495554556dbf078bb
                                                                              • Opcode Fuzzy Hash: 9cfded6aa0e1b4390045163c956e7fbc9a88369900cc208a02e52c813e173b0b
                                                                              • Instruction Fuzzy Hash: 0F315A71A103059FDB00EF34C848B6BBBA5FF84754F1049ADF9599B290EB709949CB92
                                                                              Function 02BD4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD4D8B
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD4DB7
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD4DC3
                                                                                • Part of subcall function 02BD4BED: __EH_prolog.LIBCMT ref: 02BD4BF2
                                                                                • Part of subcall function 02BD4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02BD4CF2
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD4E93
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD4E99
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD4EA0
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD4EA6
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD50A7
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD50AD
                                                                              • RtlEnterCriticalSection.NTDLL(02C071E0), ref: 02BD50B8
                                                                              • RtlLeaveCriticalSection.NTDLL(02C071E0), ref: 02BD50C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                              • String ID:
                                                                              • API String ID: 2062355503-0
                                                                              • Opcode ID: 5fac753f1c8c9100338054abc673e2eff5e774acc584d52a3f46e8700282a727
                                                                              • Instruction ID: a7b3961b52e36b32d9e8c10e2ea88d4e85da15bec58d31dd114b89526e87d7fe
                                                                              • Opcode Fuzzy Hash: 5fac753f1c8c9100338054abc673e2eff5e774acc584d52a3f46e8700282a727
                                                                              • Instruction Fuzzy Hash: AEB13A71D0025DDFEF25DFA0D844BEEBBB5AF04314F24409AE50966280EBB46A49CFA5
                                                                              Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 887 401f64-401f84 FindResourceA 888 401f86-401f9d GetLastError SizeofResource 887->888 889 401f9f-401fa1 887->889 888->889 890 401fa6-401fec LoadResource LockResource GlobalAlloc call 402900 * 2 888->890 891 402096-40209a 889->891 896 401fee-401ff9 890->896 896->896 897 401ffb-402003 GetTickCount 896->897 898 402032-402038 897->898 899 402005-402007 897->899 900 402053-402083 GlobalAlloc call 401c26 898->900 901 40203a-40204a 898->901 899->900 902 402009-40200f 899->902 909 402088-402093 900->909 903 40204c 901->903 904 40204e-402051 901->904 902->900 906 402011-402023 902->906 903->904 904->900 904->901 907 402025 906->907 908 402027-40202a 906->908 907->908 908->906 910 40202c-40202e 908->910 909->891 910->902 911 402030 910->911 911->900
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                              • String ID:
                                                                              • API String ID: 564119183-0
                                                                              • Opcode ID: 44f877009007b5f29329c5f7e1656286887f6d20cb13e747ef411fa866021a9c
                                                                              • Instruction ID: e5d4e2c5cc696d14c6606068760314b471c6e553d687b3536135e46d88421c00
                                                                              • Opcode Fuzzy Hash: 44f877009007b5f29329c5f7e1656286887f6d20cb13e747ef411fa866021a9c
                                                                              • Instruction Fuzzy Hash: AA314E71A00255AFDB105FB59F88A6F7F68EF49344F10407AFA46F7281DA748841C7A8
                                                                              Function 02BD26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD2706
                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BD272B
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BF5B53), ref: 02BD2738
                                                                                • Part of subcall function 02BD1712: __EH_prolog.LIBCMT ref: 02BD1717
                                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02BD2778
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD27D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID: timer
                                                                              • API String ID: 4293676635-1792073242
                                                                              • Opcode ID: 96728ad9192774f30ca471c1cd5e24d47f7518f59ee51ae06c2cf8d1b30787a5
                                                                              • Instruction ID: 4534676fbde6fed3c40294e1b7a1feb4440ca58ccac9daa22748597c1a6f206f
                                                                              • Opcode Fuzzy Hash: 96728ad9192774f30ca471c1cd5e24d47f7518f59ee51ae06c2cf8d1b30787a5
                                                                              • Instruction Fuzzy Hash: 72319CB1904745AFD360DF35C944B66FBE8FB48B64F004AAAF91583A80EB70E804CF95
                                                                              Function 02BD2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 963 2bd2b95-2bd2baf 964 2bd2bc7-2bd2bcb 963->964 965 2bd2bb1-2bd2bb9 call 2be0b10 963->965 967 2bd2bcd-2bd2bd0 964->967 968 2bd2bdf 964->968 973 2bd2bbf-2bd2bc2 965->973 967->968 971 2bd2bd2-2bd2bdd call 2be0b10 967->971 969 2bd2be2-2bd2c11 WSASetLastError WSARecv call 2bda500 968->969 975 2bd2c16-2bd2c1d 969->975 971->973 976 2bd2d30 973->976 978 2bd2c2c-2bd2c32 975->978 979 2bd2c1f-2bd2c2a call 2be0b10 975->979 980 2bd2d32-2bd2d38 976->980 982 2bd2c34-2bd2c39 call 2be0b10 978->982 983 2bd2c46-2bd2c48 978->983 988 2bd2c3f-2bd2c42 979->988 982->988 986 2bd2c4f-2bd2c60 call 2be0b10 983->986 987 2bd2c4a-2bd2c4d 983->987 986->980 990 2bd2c66-2bd2c69 986->990 987->990 988->983 992 2bd2c6b-2bd2c6d 990->992 993 2bd2c73-2bd2c76 990->993 992->993 995 2bd2d22-2bd2d2d call 2bd1996 992->995 993->976 996 2bd2c7c-2bd2c9a call 2be0b10 call 2bd166f 993->996 995->976 1003 2bd2cbc-2bd2cfa WSASetLastError select call 2bda500 996->1003 1004 2bd2c9c-2bd2cba call 2be0b10 call 2bd166f 996->1004 1009 2bd2cfc-2bd2d06 call 2be0b10 1003->1009 1010 2bd2d08 1003->1010 1004->976 1004->1003 1018 2bd2d19-2bd2d1d 1009->1018 1013 2bd2d0a-2bd2d12 call 2be0b10 1010->1013 1014 2bd2d15-2bd2d17 1010->1014 1013->1014 1014->976 1014->1018 1018->969
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2BE4
                                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02BD2C07
                                                                                • Part of subcall function 02BDA500: WSAGetLastError.WS2_32(00000000,?,?,02BD2A51), ref: 02BDA50E
                                                                              • WSASetLastError.WS2_32 ref: 02BD2CD3
                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02BD2CE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Recvselect
                                                                              • String ID: 3'
                                                                              • API String ID: 886190287-280543908
                                                                              • Opcode ID: 2b3b9c9a5ac1acada784129e487eaaa48e8935836ae83aad6b57f194f2bf2681
                                                                              • Instruction ID: a7cffd0678b545b104f43146162120b3e8b1e2e2a62c43d48da00f0c312c2477
                                                                              • Opcode Fuzzy Hash: 2b3b9c9a5ac1acada784129e487eaaa48e8935836ae83aad6b57f194f2bf2681
                                                                              • Instruction Fuzzy Hash: 4F417CB19143458FDB10AF74C5047ABBBE9EF84358F100D9EE89993281FBB0D940CB91
                                                                              Function 00402EB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 00402ED6
                                                                                • Part of subcall function 00403FF4: HeapCreate.KERNEL32(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                • Part of subcall function 00403FF4: HeapDestroy.KERNEL32 ref: 00404044
                                                                              • GetCommandLineA.KERNEL32 ref: 00402F24
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402F4F
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402F72
                                                                                • Part of subcall function 00402FCB: ExitProcess.KERNEL32 ref: 00402FE8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                              • String ID: Y
                                                                              • API String ID: 2057626494-4136946213
                                                                              • Opcode ID: 325e7f914570c168081717ad5a7bff573080d66766d455433493ccebbf55a55a
                                                                              • Instruction ID: 6c04a93e5977c8bd62da79476c711382ac288be854cd46207c6038a295986733
                                                                              • Opcode Fuzzy Hash: 325e7f914570c168081717ad5a7bff573080d66766d455433493ccebbf55a55a
                                                                              • Instruction Fuzzy Hash: 0F21AEB1800615AADB08AFA6DE4AA6E7FB8EF04705F10413FF501BB2E1DB388500CB58
                                                                              Function 02BD29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1099 2bd29ee-2bd2a06 1100 2bd2a0c-2bd2a10 1099->1100 1101 2bd2ab3-2bd2abb call 2be0b10 1099->1101 1103 2bd2a39-2bd2a4c WSASetLastError closesocket call 2bda500 1100->1103 1104 2bd2a12-2bd2a15 1100->1104 1109 2bd2abe-2bd2ac6 1101->1109 1110 2bd2a51-2bd2a55 1103->1110 1104->1103 1105 2bd2a17-2bd2a36 call 2be0b10 call 2bd2f50 1104->1105 1105->1103 1110->1101 1112 2bd2a57-2bd2a5f call 2be0b10 1110->1112 1117 2bd2a69-2bd2a71 call 2be0b10 1112->1117 1118 2bd2a61-2bd2a67 1112->1118 1124 2bd2aaf-2bd2ab1 1117->1124 1125 2bd2a73-2bd2a79 1117->1125 1118->1117 1119 2bd2a7b-2bd2aad ioctlsocket WSASetLastError closesocket call 2bda500 1118->1119 1119->1124 1124->1101 1124->1109 1125->1119 1125->1124
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2A3B
                                                                              • closesocket.WS2_32 ref: 02BD2A42
                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02BD2A89
                                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02BD2A97
                                                                              • closesocket.WS2_32 ref: 02BD2A9E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                              • String ID:
                                                                              • API String ID: 1561005644-0
                                                                              • Opcode ID: 64da1e7ad1e244d59a8acde7ddebc15ccf7e0c75a16af845e0159c4b8c5ec5da
                                                                              • Instruction ID: 2c9e33aa64fa7b9fc887c03626e2dbf0cd8c2a0cea0b49fc4d7911ba8a399cea
                                                                              • Opcode Fuzzy Hash: 64da1e7ad1e244d59a8acde7ddebc15ccf7e0c75a16af845e0159c4b8c5ec5da
                                                                              • Instruction Fuzzy Hash: 2C21F875E00245ABEB20ABF8D8447AAB7E9EF44315F144DE9E955D3242FBB0C940CB61
                                                                              Function 02BD1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1126 2bd1ba7-2bd1bcf call 2bf53f0 RtlEnterCriticalSection 1129 2bd1be9-2bd1bf7 RtlLeaveCriticalSection call 2bde327 1126->1129 1130 2bd1bd1 1126->1130 1132 2bd1bfa-2bd1c20 RtlEnterCriticalSection 1129->1132 1131 2bd1bd4-2bd1be0 call 2bd1b79 1130->1131 1138 2bd1c55-2bd1c6e RtlLeaveCriticalSection 1131->1138 1139 2bd1be2-2bd1be7 1131->1139 1134 2bd1c34-2bd1c36 1132->1134 1136 2bd1c38-2bd1c43 1134->1136 1137 2bd1c22-2bd1c2f call 2bd1b79 1134->1137 1141 2bd1c45-2bd1c4b 1136->1141 1137->1141 1144 2bd1c31 1137->1144 1139->1129 1139->1131 1141->1138 1143 2bd1c4d-2bd1c51 1141->1143 1143->1138 1144->1134
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD1BAC
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02BD1BBC
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02BD1BEA
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02BD1C13
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02BD1C56
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                              • String ID:
                                                                              • API String ID: 1633115879-0
                                                                              • Opcode ID: 5f2bb9a4817b20a74572c846e30646edd8b9fba8966add7232d933972eef1ffc
                                                                              • Instruction ID: fb5b55392fed92bbe69f8d74e7e6bcfb0e278cff3c3b7876287cdac89ffe0c10
                                                                              • Opcode Fuzzy Hash: 5f2bb9a4817b20a74572c846e30646edd8b9fba8966add7232d933972eef1ffc
                                                                              • Instruction Fuzzy Hash: 2921AB75A002049FDB14CF6CC484B9ABBB5FF48310F1489C9E81A9B301EB70E915CBA0
                                                                              Function 02BD2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2EEE
                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BD2EFD
                                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BD2F0C
                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02BD2F36
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                              • String ID:
                                                                              • API String ID: 2093263913-0
                                                                              • Opcode ID: 965596a2590cd16b52228b9a6572a022a131f4317808b45b36083bc495686439
                                                                              • Instruction ID: 6a4dbb3e0bcb7bd91047d67edb164dc71bf2ddf40806bf166be6d942abbe42d3
                                                                              • Opcode Fuzzy Hash: 965596a2590cd16b52228b9a6572a022a131f4317808b45b36083bc495686439
                                                                              • Instruction Fuzzy Hash: 41014D71A51204BBDB205F65DC48F9ABBA9EF85761F008995FA19D7141D7B08900DB70
                                                                              Function 02BD2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BD2D39: WSASetLastError.WS2_32(00000000), ref: 02BD2D47
                                                                                • Part of subcall function 02BD2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02BD2D5C
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2E6D
                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02BD2E83
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Sendselect
                                                                              • String ID: 3'
                                                                              • API String ID: 2958345159-280543908
                                                                              • Opcode ID: 9b289ae1c35fa1d60a193f87aa823239047f545d223c4c490aa0fccb637771f2
                                                                              • Instruction ID: 489bf1d6dc409cf8a259ffa1fea801e1c30bcaebe6f93c385d7407052373597b
                                                                              • Opcode Fuzzy Hash: 9b289ae1c35fa1d60a193f87aa823239047f545d223c4c490aa0fccb637771f2
                                                                              • Instruction Fuzzy Hash: 1F318DB1E102499BDF10EFB4C8147EE7BAAEF05368F0049DADC0997241FBB595508FA0
                                                                              Function 02BD2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2AEA
                                                                              • connect.WS2_32(?,?,?), ref: 02BD2AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastconnect
                                                                              • String ID: 3'
                                                                              • API String ID: 374722065-280543908
                                                                              • Opcode ID: 62646edc398791722a0bf379ad729955b2f7faafe32c8f757e9c191b024e365b
                                                                              • Instruction ID: 1808fa0320b024982aa9f0c709b85f074d761366da545b4776c3705fd2e0b644
                                                                              • Opcode Fuzzy Hash: 62646edc398791722a0bf379ad729955b2f7faafe32c8f757e9c191b024e365b
                                                                              • Instruction Fuzzy Hash: 3A219274E10208ABDF14AFB4C4147EEBBBAEF44324F0089D9DD19A7281FBB44A018F91
                                                                              Function 004025B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: $Kd$'N!
                                                                              • API String ID: 3535843008-485235335
                                                                              • Opcode ID: 0de5fae75cad28beb5efcaf0212e41cb8a38f9c211ebcd3b51ef3542f7ec9f41
                                                                              • Instruction ID: d523c1cf2d65d8f8af08a6ee2e3a2656b7e9afecb5cfb702f40512fdab0b14b7
                                                                              • Opcode Fuzzy Hash: 0de5fae75cad28beb5efcaf0212e41cb8a38f9c211ebcd3b51ef3542f7ec9f41
                                                                              • Instruction Fuzzy Hash: 95F0B475D045409FD3019B74FF92AE5BBE26315331750823AC556A2AA2E235484BCB4D
                                                                              Function 00402288 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue
                                                                              • String ID: DP Free Video Converter 10.23.46
                                                                              • API String ID: 3356406503-2979630242
                                                                              • Opcode ID: 0bbded4ef4e0399dc4c94e1f369859af2828121ccba2abf1516ab51ba7fadc4c
                                                                              • Instruction ID: 665eb7c21ef304969811973be035fea4e1376da3730ad96d96d13f6ec8a422fc
                                                                              • Opcode Fuzzy Hash: 0bbded4ef4e0399dc4c94e1f369859af2828121ccba2abf1516ab51ba7fadc4c
                                                                              • Instruction Fuzzy Hash: C7D0C222A08002ABC3012BF56F0C42B2210A884359330487BA943F10D0D6FC840B369F
                                                                              Function 02BD353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog
                                                                              • String ID:
                                                                              • API String ID: 3519838083-0
                                                                              • Opcode ID: 09120a3e8b0ef22379af1ff33b50c1e81e5777fe467a9834daece70d1e87e563
                                                                              • Instruction ID: 0d7a2fa9beaa03a83756aa7cbd87ebe5c32ba4767de91d635596836029e061a5
                                                                              • Opcode Fuzzy Hash: 09120a3e8b0ef22379af1ff33b50c1e81e5777fe467a9834daece70d1e87e563
                                                                              • Instruction Fuzzy Hash: 17514DB590520ADFCB08DF68C5507AABBF1FF08324F14859EE8299B381E7749911CFA1
                                                                              Function 02BD369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02BD36A7
                                                                                • Part of subcall function 02BD2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BD2432
                                                                                • Part of subcall function 02BD2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BD2445
                                                                                • Part of subcall function 02BD2420: RtlEnterCriticalSection.NTDLL(?), ref: 02BD2454
                                                                                • Part of subcall function 02BD2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2469
                                                                                • Part of subcall function 02BD2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02BD2470
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1601054111-0
                                                                              • Opcode ID: 8ea8979cb6b518e5bcf9154fc1e740f7b580cbad581a56e1488a28300f3249b2
                                                                              • Instruction ID: 609c1b1eee860e4fd75ed4b9feeb3cf9b0561c9be9475d67ec331740a863241b
                                                                              • Opcode Fuzzy Hash: 8ea8979cb6b518e5bcf9154fc1e740f7b580cbad581a56e1488a28300f3249b2
                                                                              • Instruction Fuzzy Hash: 6011C4B9104609ABDB219F14CC85FEA3BA5EF40394F104496FE5287291DB34D860DF95
                                                                              Function 02BE20F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __beginthreadex.LIBCMT ref: 02BE2106
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02BDA980,00000000), ref: 02BE2137
                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02BDA980,00000000), ref: 02BE2145
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandleResumeThread__beginthreadex
                                                                              • String ID:
                                                                              • API String ID: 1685284544-0
                                                                              • Opcode ID: 0695af74e5b243dd65f36ea13abaf8aec61cab52acdb80c669f8de13dd6e95e7
                                                                              • Instruction ID: f4f929f6bdc7dc70f1e5e04a3505ef383bb1f616f79804f28577a088db5d22b6
                                                                              • Opcode Fuzzy Hash: 0695af74e5b243dd65f36ea13abaf8aec61cab52acdb80c669f8de13dd6e95e7
                                                                              • Instruction Fuzzy Hash: FDF06271240201ABEB209E68DC84F95B3E9FF48725F2445AAF655D7290C7B1AC929A90
                                                                              Function 02BD1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(02C072B4), ref: 02BD1ABA
                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02BD1ACB
                                                                              • InterlockedExchange.KERNEL32(02C072B8,00000000), ref: 02BD1AD7
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                              • String ID:
                                                                              • API String ID: 1856147945-0
                                                                              • Opcode ID: ff55efc8ef03ead5acad207272995efbddfa179d50651babcc87c2d123f724f7
                                                                              • Instruction ID: 2843230ff2ec10c555e66eefdb8812473a4f40896b37d284b51f747b638c7d18
                                                                              • Opcode Fuzzy Hash: ff55efc8ef03ead5acad207272995efbddfa179d50651babcc87c2d123f724f7
                                                                              • Instruction Fuzzy Hash: 46D05B319902159BE25076B45C4EA74F72CEB05751F0006D1FD7DC15C0EE50653495BA
                                                                              Function 0040250A Relevance: 4.5, APIs: 3, Instructions: 14timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCommandLineW.KERNEL32 ref: 0040250A
                                                                              • CommandLineToArgvW.SHELL32(00000000), ref: 0040D0D1
                                                                              • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CommandLine$ArgvLocalTime
                                                                              • String ID:
                                                                              • API String ID: 3768950922-0
                                                                              • Opcode ID: 79fdd7c6f8f321505323d7bff580fe608d89dcc837478eaa74d7f63b3d9173f1
                                                                              • Instruction ID: 3f5a5dba030405874057b695dde1c598a552414b8d35a13b674ed59a50cdfdbf
                                                                              • Opcode Fuzzy Hash: 79fdd7c6f8f321505323d7bff580fe608d89dcc837478eaa74d7f63b3d9173f1
                                                                              • Instruction Fuzzy Hash: 28D09275C09502EFC3407BE0AF4846A7AA8AB093553214A3FE247F11E0CF7C508B9A6F
                                                                              Function 0040D071 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime
                                                                              • String ID: (
                                                                              • API String ID: 481472006-3887548279
                                                                              • Opcode ID: 9e3c717b7c99ef5f1827067d224456d3e5fab7ebfca9495740bdc9a5cefa0f93
                                                                              • Instruction ID: f8cce1d4bc18eefacb81c019a65214726b314d631f407f6fb64448b2984f6b2f
                                                                              • Opcode Fuzzy Hash: 9e3c717b7c99ef5f1827067d224456d3e5fab7ebfca9495740bdc9a5cefa0f93
                                                                              • Instruction Fuzzy Hash: DB31D130D09245DFCB04CBA4C9946AABBB0FF45314F2481BFC4516B2C9C379A94ADB4A
                                                                              Function 00402233 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: DP Free Video Converter 10.23.46
                                                                              • API String ID: 3535843008-2979630242
                                                                              • Opcode ID: e11cad3586445836829f7a1121af2bcc1c24de7b9319ad52371e58289bdda97f
                                                                              • Instruction ID: 8639625f73f70bf8892ffadf4652a31e03bd9cef350b577b46d751e4601a2b28
                                                                              • Opcode Fuzzy Hash: e11cad3586445836829f7a1121af2bcc1c24de7b9319ad52371e58289bdda97f
                                                                              • Instruction Fuzzy Hash: 66C08C20C45001B7C3012BD14E0981961247D4470C330403BB602320E1CABC080A6B9F
                                                                              Function 02BD4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD4BF2
                                                                                • Part of subcall function 02BD1BA7: __EH_prolog.LIBCMT ref: 02BD1BAC
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1BBC
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1BEA
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1C13
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1C56
                                                                                • Part of subcall function 02BDE0EF: __EH_prolog.LIBCMT ref: 02BDE0F4
                                                                                • Part of subcall function 02BDE0EF: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BDE173
                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02BD4CF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                              • String ID:
                                                                              • API String ID: 1927618982-0
                                                                              • Opcode ID: f16ef651129185506ece07b86aba165bbf983bdbe9ef07092c6748c4594c57f7
                                                                              • Instruction ID: 4321a6ef6f2a4d884c14dd2ddb902a9e9b1e062a0ab481cd2a4b637963796d50
                                                                              • Opcode Fuzzy Hash: f16ef651129185506ece07b86aba165bbf983bdbe9ef07092c6748c4594c57f7
                                                                              • Instruction Fuzzy Hash: 1E511A75D04248DFDB15DFA8C484AEEBFB5EF08314F1480AAE905AB352E7709A44CF51
                                                                              Function 02BD2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD2D47
                                                                              • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02BD2D5C
                                                                                • Part of subcall function 02BDA500: WSAGetLastError.WS2_32(00000000,?,?,02BD2A51), ref: 02BDA50E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Send
                                                                              • String ID:
                                                                              • API String ID: 1282938840-0
                                                                              • Opcode ID: cc5549be43a7a39e24fb71fff737f4fd5abde32a8bf673aec27f8f66f95d9d13
                                                                              • Instruction ID: 5696b98da9a6cb7edf66614514bd0c955d11207455034a3bc69515de5cd08384
                                                                              • Opcode Fuzzy Hash: cc5549be43a7a39e24fb71fff737f4fd5abde32a8bf673aec27f8f66f95d9d13
                                                                              • Instruction Fuzzy Hash: D40188B5900209AFD7206FA4C8449ABFBEDFF453A4B2009AEE85993200FB709D00CB61
                                                                              Function 02BD83E1 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD83FE
                                                                              • shutdown.WS2_32(?,00000002), ref: 02BD8407
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastshutdown
                                                                              • String ID:
                                                                              • API String ID: 1920494066-0
                                                                              • Opcode ID: 8b23ef873b7313670046f4b59637b26083646ef718948ebbc18b48ccc6175d17
                                                                              • Instruction ID: 8b4bee5a08d43092659b813c3adb6050b530426ba06a404d45731cc10fb51ebc
                                                                              • Opcode Fuzzy Hash: 8b23ef873b7313670046f4b59637b26083646ef718948ebbc18b48ccc6175d17
                                                                              • Instruction Fuzzy Hash: A0F09071A043148FC750AF68D414B9AB7E5FF09325F00889CE995A7380EB70A801CFA1
                                                                              Function 00403FF4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                • Part of subcall function 00403EAC: GetVersionExA.KERNEL32 ref: 00403ECB
                                                                              • HeapDestroy.KERNEL32 ref: 00404044
                                                                                • Part of subcall function 004043CB: HeapAlloc.KERNEL32(00000000,00000140,0040402D,000003F8), ref: 004043D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                              • String ID:
                                                                              • API String ID: 2507506473-0
                                                                              • Opcode ID: 08e9c7453818299e866e88d70da67c55485919fcfb4e135f4816fa3d6e61eb40
                                                                              • Instruction ID: b4f27171ca293894694a4990bfc5d7c260993408134cd234969321435d2c18a9
                                                                              • Opcode Fuzzy Hash: 08e9c7453818299e866e88d70da67c55485919fcfb4e135f4816fa3d6e61eb40
                                                                              • Instruction Fuzzy Hash: 18F092F0656301DAEB205B71AE4673A39949BC0B86F20443BF740F91E1EF7C8481D60D
                                                                              Function 00402578 Relevance: 3.0, APIs: 2, Instructions: 22timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CommandLineToArgvW.SHELL32(00000000), ref: 0040D0D1
                                                                              • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: ArgvCommandLineLocalTime
                                                                              • String ID:
                                                                              • API String ID: 561774760-0
                                                                              • Opcode ID: c6f1959fd0e4a5e57e9212950f11b71cbeaa3b1364d0a37361e57c370383f048
                                                                              • Instruction ID: d9434859a2521f5014afe1b2acdda15a949712a0542376f0925ae5c52f55e38c
                                                                              • Opcode Fuzzy Hash: c6f1959fd0e4a5e57e9212950f11b71cbeaa3b1364d0a37361e57c370383f048
                                                                              • Instruction Fuzzy Hash: 01E08631C09203EFC7002FE45E491693AE4AB05391734497BD143F52E0DA7C408B976F
                                                                              Function 02BD5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD511E
                                                                                • Part of subcall function 02BD3D7E: htons.WS2_32(?), ref: 02BD3DA2
                                                                                • Part of subcall function 02BD3D7E: htonl.WS2_32(00000000), ref: 02BD3DB9
                                                                                • Part of subcall function 02BD3D7E: htonl.WS2_32(00000000), ref: 02BD3DC0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonl$H_prologhtons
                                                                              • String ID:
                                                                              • API String ID: 4039807196-0
                                                                              • Opcode ID: 74572fee481c620938cafb4e3ec0ca39412b2f5677456495cbb98f3c352b50db
                                                                              • Instruction ID: d5c34d03e35a3cc25bd59c31b6e0bc3ffca34a44c98ae00ce3fd936e3601c515
                                                                              • Opcode Fuzzy Hash: 74572fee481c620938cafb4e3ec0ca39412b2f5677456495cbb98f3c352b50db
                                                                              • Instruction Fuzzy Hash: 928157B1D0424E8FCF15DFA8D490AEEBBB5EF08314F14819AD851B7240EB765A49CF64
                                                                              Function 02BDE9B8 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDE9BD
                                                                                • Part of subcall function 02BD1A01: TlsGetValue.KERNEL32 ref: 02BD1A0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologValue
                                                                              • String ID:
                                                                              • API String ID: 3700342317-0
                                                                              • Opcode ID: 00b9761c8614e493256492da420b6cc4d1f7e43fc0540b237c2ff38badba2ae2
                                                                              • Instruction ID: 503e20f06554da1b4cbdfa608bee8bfa12988e386f0018fea6b4840b8a3ea6ee
                                                                              • Opcode Fuzzy Hash: 00b9761c8614e493256492da420b6cc4d1f7e43fc0540b237c2ff38badba2ae2
                                                                              • Instruction Fuzzy Hash: FA212FB190460AAFDB04DFA8D540AEEBBF9FF49314F10816EE915A7240E771E901CBA1
                                                                              Function 02C42F9D Relevance: 1.6, APIs: 1, Instructions: 61networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002C0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C0A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2c0a000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Query_
                                                                              • String ID:
                                                                              • API String ID: 428220571-0
                                                                              • Opcode ID: d841b22e101c2edc8a9fd6a78a86324141f450025aa386fdefdd9da358b9a21f
                                                                              • Instruction ID: 6fd9a56c5d8a347e807165b92c6e17828d2c92356ff1c0b38169667ea38047c1
                                                                              • Opcode Fuzzy Hash: d841b22e101c2edc8a9fd6a78a86324141f450025aa386fdefdd9da358b9a21f
                                                                              • Instruction Fuzzy Hash: B11188B251C7149FE3153E19ECC53BAF7E8EB84320F06852DD7C003A08EA342944C6C6
                                                                              Function 02BD33B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BD33CC
                                                                                • Part of subcall function 02BD32AB: __EH_prolog.LIBCMT ref: 02BD32B0
                                                                                • Part of subcall function 02BD32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02BD32C3
                                                                                • Part of subcall function 02BD32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BD32EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                              • String ID:
                                                                              • API String ID: 1518410164-0
                                                                              • Opcode ID: 2545c513d42f90f4b5f8e08c18869b2a4981124c0e63944d8af826c80bb867f2
                                                                              • Instruction ID: 918240f6ea3074f8998cae6ed432a46e051962ca95f83386d730fa1bc3333d45
                                                                              • Opcode Fuzzy Hash: 2545c513d42f90f4b5f8e08c18869b2a4981124c0e63944d8af826c80bb867f2
                                                                              • Instruction Fuzzy Hash: 80018070615606AFD704CF69D885F95BBA9FF44330F14839AE928872C1EB70E821CFA5
                                                                              Function 02BDE548 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDE54D
                                                                                • Part of subcall function 02BD26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02BD2706
                                                                                • Part of subcall function 02BD26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BD272B
                                                                                • Part of subcall function 02BD26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BF5B53), ref: 02BD2738
                                                                                • Part of subcall function 02BD26DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02BD2778
                                                                                • Part of subcall function 02BD26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BD27D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID:
                                                                              • API String ID: 4293676635-0
                                                                              • Opcode ID: 7b20492d6489ed27b16b30bdd4130daf573c3faa9d9544664589be95a5aff9b8
                                                                              • Instruction ID: f2c85d829d6c8fa12b6f1a6a0485e610a3585ad45908d174a2f0808f2b3c0f5e
                                                                              • Opcode Fuzzy Hash: 7b20492d6489ed27b16b30bdd4130daf573c3faa9d9544664589be95a5aff9b8
                                                                              • Instruction Fuzzy Hash: 2C01D0B1900B059FC358CF1AC54098AFBF4EF88310B05C6EE98598B321E770AA44CF90
                                                                              Function 02BDE327 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDE32C
                                                                                • Part of subcall function 02BE3B4C: _malloc.LIBCMT ref: 02BE3B64
                                                                                • Part of subcall function 02BDE548: __EH_prolog.LIBCMT ref: 02BDE54D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_malloc
                                                                              • String ID:
                                                                              • API String ID: 4254904621-0
                                                                              • Opcode ID: 8ce0f849d3c7dbb9350eb777e45d34380ee457406739e9cb92441a3d284c4845
                                                                              • Instruction ID: ee19c6e633ebcda61cef84c0e9edaa7f407298ceb806a13f3878e96a199f29b5
                                                                              • Opcode Fuzzy Hash: 8ce0f849d3c7dbb9350eb777e45d34380ee457406739e9cb92441a3d284c4845
                                                                              • Instruction Fuzzy Hash: 16E0C271A0010AABDF4DEF68D80177EBBA6EB04700F0081EEB90AE6340FF70C9008B14
                                                                              Function 0040217D Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID:
                                                                              • API String ID: 71445658-0
                                                                              • Opcode ID: b581c9ec6ad076559c56b2a4ab5eaaaf284dc3c8b83333fc2c97dbe9134db8f3
                                                                              • Instruction ID: e745a685359c687d3d825dd480fb543b8200795d3078283e8536241295c4df4a
                                                                              • Opcode Fuzzy Hash: b581c9ec6ad076559c56b2a4ab5eaaaf284dc3c8b83333fc2c97dbe9134db8f3
                                                                              • Instruction Fuzzy Hash: 3ED05B32604015D6C7054EF59A4C5EFB7749740349F205473DD07F04C0D3FC954E561A
                                                                              Function 02BE3452 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BE5C5A: __getptd_noexit.LIBCMT ref: 02BE5C5B
                                                                                • Part of subcall function 02BE5C5A: __amsg_exit.LIBCMT ref: 02BE5C68
                                                                                • Part of subcall function 02BE3493: __getptd_noexit.LIBCMT ref: 02BE3497
                                                                                • Part of subcall function 02BE3493: __freeptd.LIBCMT ref: 02BE34B1
                                                                                • Part of subcall function 02BE3493: RtlExitUserThread.NTDLL(?,00000000,?,02BE3473,00000000), ref: 02BE34BA
                                                                              • __XcptFilter.LIBCMT ref: 02BE347F
                                                                                • Part of subcall function 02BE8D94: __getptd_noexit.LIBCMT ref: 02BE8D98
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                              • String ID:
                                                                              • API String ID: 1405322794-0
                                                                              • Opcode ID: 35c986404b1aefa68b51df00e57daf3832ebea4082c6f560e933740569b2d245
                                                                              • Instruction ID: 512181e4697ff2cb3c7ab495fe4625cc0d6aa6ab2ddca7518b876e3ff5a7a30a
                                                                              • Opcode Fuzzy Hash: 35c986404b1aefa68b51df00e57daf3832ebea4082c6f560e933740569b2d245
                                                                              • Instruction Fuzzy Hash: 00E0ECB19006019FEF08ABE4D959F2D77B6AF04301F2000D8E103AB2B1CBB5A9409F20
                                                                              Function 004022E4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.KERNEL32(?,?,?,00000004), ref: 0040D581
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: 4f778c0adb16ede1a4ca5b76b0c10ea9c9676ab3783dd9556ae62bcd3139cde5
                                                                              • Instruction ID: dcc8cea847f6446324a83dd178a4e23f51a57f1038c77a64d086fe0ae74714e2
                                                                              • Opcode Fuzzy Hash: 4f778c0adb16ede1a4ca5b76b0c10ea9c9676ab3783dd9556ae62bcd3139cde5
                                                                              • Instruction Fuzzy Hash: F3D05B75C0C504FECB025BD08D5CEFA7B785708305F1104A3EA55F01D1C275551BAB1E
                                                                              Function 0040226E Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.KERNEL32(?,?,?,00000004), ref: 0040D581
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: 4bc8af0b065d7724018e3d2740be58c49e874020788429481d8cfb88b6435bb8
                                                                              • Instruction ID: ba296add1ab31379e2f5866567ce6d2ab2cfac623c015ea47abb187f797129c8
                                                                              • Opcode Fuzzy Hash: 4bc8af0b065d7724018e3d2740be58c49e874020788429481d8cfb88b6435bb8
                                                                              • Instruction Fuzzy Hash: 04D0C9B5C08414FEDB065BD08D68FFE77BCA708709F110462EB19F00D0C675961AAB2D
                                                                              Function 00402226 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 004022A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: ManagerOpen
                                                                              • String ID:
                                                                              • API String ID: 1889721586-0
                                                                              • Opcode ID: e8a3da72905c62d767eb84e9ace12f9c6a17825d8514f449117044fe92d226cf
                                                                              • Instruction ID: 47956fe134d5731143f17911134bf59dbe19c6e2bb19c7d730009134aa692a28
                                                                              • Opcode Fuzzy Hash: e8a3da72905c62d767eb84e9ace12f9c6a17825d8514f449117044fe92d226cf
                                                                              • Instruction Fuzzy Hash: EFC08C60E4D241FFD7400F901E98E7A296E4747308B7000BFB602B50D1C27C0E19B63B
                                                                              Function 004025B0 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040DA58
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 90548c06699aa8fc37f1da93349b3a4733607929f86e83d1cdfb7c4b0d0f6a9c
                                                                              • Instruction ID: d2e94a1fd81d143a8caed6e6f2561a9085186fc54bd78040f27a128b5eff2412
                                                                              • Opcode Fuzzy Hash: 90548c06699aa8fc37f1da93349b3a4733607929f86e83d1cdfb7c4b0d0f6a9c
                                                                              • Instruction Fuzzy Hash: 78C08C34A08200EFEB008FA4CD047283AB0BB4A300F204437A802F51C0C3788005AF2B
                                                                              Function 0040DA4F Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040DA58
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: e16dfb84528085582af71597d27820240446864099083ae331c3024bde16a6e4
                                                                              • Instruction ID: 0543e769c1d97f0da1ab48d59de83e90b3f07999ad44f840f7705d575156e2ac
                                                                              • Opcode Fuzzy Hash: e16dfb84528085582af71597d27820240446864099083ae331c3024bde16a6e4
                                                                              • Instruction Fuzzy Hash: C6C09B34500515DFD750CF24CE4461A7BF8FB4574071104759451F9590F77444008F16
                                                                              Function 0040DA6A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory
                                                                              • String ID:
                                                                              • API String ID: 4241100979-0
                                                                              • Opcode ID: 5e36c560f0db67a9206ab9ad6d95b4bf7b1c50aee7ec61d1229267234ea62ad1
                                                                              • Instruction ID: a4866b39a7b14907811251b91b8666f62be3e501013db82ccb805d59b304f62f
                                                                              • Opcode Fuzzy Hash: 5e36c560f0db67a9206ab9ad6d95b4bf7b1c50aee7ec61d1229267234ea62ad1
                                                                              • Instruction Fuzzy Hash: B5900272555104D7D20027505B1D9153524621478132184376342B10E189BA0446561E
                                                                              Function 0040D2DE Relevance: 1.5, APIs: 1, Instructions: 3fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: 8f61d71760b1dbf0d2d9c5b596183bb2bc902733f1f1c518c8739277dbaeef03
                                                                              • Instruction ID: 9404b61aa083f4cc3f9f57f7c80817678283e0786cda9d02961357aea8e710f0
                                                                              • Opcode Fuzzy Hash: 8f61d71760b1dbf0d2d9c5b596183bb2bc902733f1f1c518c8739277dbaeef03
                                                                              • Instruction Fuzzy Hash: C0900230204101AAD2051A616B4C61527A855046C131548BD6447E0090DA75804DA519
                                                                              Function 0040D55D Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 23e13bad12cc4312ae4e689cff765f6d33ca2701922950b2d74ab2b66f52cf4a
                                                                              • Instruction ID: 7fde95aea6abf51c63e6d9fb495bcc73d4580668db3123e9495ce381747cb54f
                                                                              • Opcode Fuzzy Hash: 23e13bad12cc4312ae4e689cff765f6d33ca2701922950b2d74ab2b66f52cf4a
                                                                              • Instruction Fuzzy Hash: 879002253045119AE2515A215B0C215255C6504649711453D5647E0090EA748005591D
                                                                              Function 02C60DE5 Relevance: 1.4, APIs: 1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(4CF334AB), ref: 02C6679D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002C0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C0A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2c0a000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: b6553c9fd6565f55e41a682c8506eb424ff0bb2f63eb870536594c95b2bfccc5
                                                                              • Instruction ID: f5ea9e06626778bf58376c7f013c5ce013072b06fcb7181261168a408f75c0fa
                                                                              • Opcode Fuzzy Hash: b6553c9fd6565f55e41a682c8506eb424ff0bb2f63eb870536594c95b2bfccc5
                                                                              • Instruction Fuzzy Hash: 273152F251C614AFD314AF09EC81BBAFBE9EF88760F16492DE2C9C3740D63598408796
                                                                              Function 02C16FC1 Relevance: 1.3, APIs: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002C0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C0A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2c0a000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 793d0432c5f99cc2dfdc5fc727813c4df9d5dc8371a46477c3905574156fa40f
                                                                              • Instruction ID: 10e958b43ea9ac9feaa659122a4d3a02fcfa17b1699f282ecf2d3b1753159623
                                                                              • Opcode Fuzzy Hash: 793d0432c5f99cc2dfdc5fc727813c4df9d5dc8371a46477c3905574156fa40f
                                                                              • Instruction Fuzzy Hash: 30218EF250C608AFE7097E68DC897BAB7E4EF45710F06092DD7E583740FA755400868B
                                                                              Function 02BE2160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BE1610: OpenEventA.KERNEL32(00100002,00000000,00000000,7E189472), ref: 02BE16B0
                                                                                • Part of subcall function 02BE1610: CloseHandle.KERNEL32(00000000), ref: 02BE16C5
                                                                                • Part of subcall function 02BE1610: ResetEvent.KERNEL32(00000000,7E189472), ref: 02BE16CF
                                                                                • Part of subcall function 02BE1610: CloseHandle.KERNEL32(00000000,7E189472), ref: 02BE1704
                                                                              • TlsSetValue.KERNEL32(0000002C,?), ref: 02BE21AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$OpenResetValue
                                                                              • String ID:
                                                                              • API String ID: 1556185888-0
                                                                              • Opcode ID: 0b0bb7bb879d2ca525c6a2ee85edd892f6e93ae5fa6467c543a563f714e64a85
                                                                              • Instruction ID: 18af8d39252e5939a535a94fff75cdbf8dadb51b09d83f2854ca50996cd713ba
                                                                              • Opcode Fuzzy Hash: 0b0bb7bb879d2ca525c6a2ee85edd892f6e93ae5fa6467c543a563f714e64a85
                                                                              • Instruction Fuzzy Hash: 4D018F71A50204AFDB10CF69D845F5EBBACEB05664F104BAAF92AD3680D77169108AA4
                                                                              Function 00402548 Relevance: 1.3, APIs: 1, Instructions: 27stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 1586166983-0
                                                                              • Opcode ID: 37c1d576725e5d351fceb652e50cd1c7fda80370e0766faedd04eeef45e5109a
                                                                              • Instruction ID: 709c12d47af33d4e9367b365709c97b23c5db57cced82245988bf8ec8e29679b
                                                                              • Opcode Fuzzy Hash: 37c1d576725e5d351fceb652e50cd1c7fda80370e0766faedd04eeef45e5109a
                                                                              • Instruction Fuzzy Hash: 6FE0E578E08105EAEB009BB08A5CA7E7770AB04301B30443BE402F21C1D7BC5A49EA6E
                                                                              Function 004026B3 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: b9f4f889030f6a35e7a7f52809c84b250efb9cf9c7e81a86eb28522853681f22
                                                                              • Instruction ID: 95d04400815f56f40a1625732c9235604e9ad66041e9273a02643cb9b06007f7
                                                                              • Opcode Fuzzy Hash: b9f4f889030f6a35e7a7f52809c84b250efb9cf9c7e81a86eb28522853681f22
                                                                              • Instruction Fuzzy Hash: 74C01236D48201C6D2082BD0AA5AB3426B0B700B11F30223FE60B388D04A7D008F3A0F
                                                                              Function 0040D329 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: fd868d98e1fac352fd7d86362565ba4217494021be97be668870d71c91581728
                                                                              • Instruction ID: 5b0f1ed3ac936a949f32853904c9cd573e4351d52c9eceb913d16ebb6ae8ff5b
                                                                              • Opcode Fuzzy Hash: fd868d98e1fac352fd7d86362565ba4217494021be97be668870d71c91581728
                                                                              • Instruction Fuzzy Hash: 3DC01230E48601C5D21427E06A89B383930B710304F360A3BE127B08E58A7D004A296F
                                                                              Function 0040D725 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 5932ed07017ae2883e90f8ef0442608ae23eebb9f43d6ad213e26fa2fa9c05e2
                                                                              • Instruction ID: 2295f1a1732221d7af1473f6025837760cc15e33fa39321e13424466bcd1ae3c
                                                                              • Opcode Fuzzy Hash: 5932ed07017ae2883e90f8ef0442608ae23eebb9f43d6ad213e26fa2fa9c05e2
                                                                              • Instruction Fuzzy Hash: 3DC09236E8C701EAD2082BE0AE59B307670B705702F21123BA757B48E0C6B8004B6E5F
                                                                              Function 0040285D Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 1b15124d59667ce479508173c201d54ced0e9a54cc92e8f94e91789baa787c1e
                                                                              • Instruction ID: e3614144fbd55de147374caa9377d53d20459618a9c0fafb76635702dfb606e6
                                                                              • Opcode Fuzzy Hash: 1b15124d59667ce479508173c201d54ced0e9a54cc92e8f94e91789baa787c1e
                                                                              • Instruction Fuzzy Hash: CEB09272C48D10A7D2052BE06E0AF6A3A20BB09308F15403BB602340E19ABE112EA68F
                                                                              Function 004022BD Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000), ref: 0040D535
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 74ba6b4c916adb1b8af38cbc566768984446bcaaa87c964e79903d64882ed78b
                                                                              • Instruction ID: a6fe6406c7767f28a491a57c93b634e325ae1cbce7dba49ca03fab76836cf99e
                                                                              • Opcode Fuzzy Hash: 74ba6b4c916adb1b8af38cbc566768984446bcaaa87c964e79903d64882ed78b
                                                                              • Instruction Fuzzy Hash: B0B0123B404501FFC70017B15F08B9036507B1C784F5145369E47F32D0A67C886DE65B

                                                                              Non-executed Functions

                                                                              Function 02BE08C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BD9AD0: __EH_prolog.LIBCMT ref: 02BD9AD5
                                                                                • Part of subcall function 02BD9AD0: _Allocate.LIBCPMT ref: 02BD9B2C
                                                                                • Part of subcall function 02BD9AD0: _memmove.LIBCMT ref: 02BD9B83
                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02BE09A2
                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02BE09AA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove
                                                                              • String ID: Unknown error$invalid string position
                                                                              • API String ID: 1017912131-1837348584
                                                                              • Opcode ID: 3c8acc6574d3164e92f08267f0397fac4d2de5d23e6b8e16b58f051b678ab1dd
                                                                              • Instruction ID: 53850a2eb9336b4092dafd1b6efd72c56aa367b010fb8145ad6b083d948959a9
                                                                              • Opcode Fuzzy Hash: 3c8acc6574d3164e92f08267f0397fac4d2de5d23e6b8e16b58f051b678ab1dd
                                                                              • Instruction Fuzzy Hash: 7451AE707083419FEB14EF24C890B2EBBE4EB98744F500DADF592A7691D7B1E588CB52
                                                                              Function 02BE9528 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02BE4E96,?,?,?,00000001), ref: 02BE952D
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02BE9536
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: e5da4843c772cc645ef68a0c77fe21e927b8024626cb630d19cf3a2651bb63ac
                                                                              • Instruction ID: 360c4def52e50b2330ef4eac0c28d5824c3955da6629dbfa11c7cc9ed7e830b3
                                                                              • Opcode Fuzzy Hash: e5da4843c772cc645ef68a0c77fe21e927b8024626cb630d19cf3a2651bb63ac
                                                                              • Instruction Fuzzy Hash: 4AB09231484208FBCB812BA5EC09B89BF28EF046A2F004890F70D468508FA25420AAA5
                                                                              Function 0040288A Relevance: 1.5, APIs: 1, Instructions: 12serviceCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CreateService
                                                                              • String ID:
                                                                              • API String ID: 1592570254-0
                                                                              • Opcode ID: a533ed5cb4deeb624906b2a1256d05ee8d8e029bf80f35c1921ad53e8eb8863a
                                                                              • Instruction ID: 5c46d02d66149211dacf4bcdb42a7dff4f784cb9f386e18728482ee67ab8ead1
                                                                              • Opcode Fuzzy Hash: a533ed5cb4deeb624906b2a1256d05ee8d8e029bf80f35c1921ad53e8eb8863a
                                                                              • Instruction Fuzzy Hash: A6D0C97084D181EECF129F906E548693B35571131536690BBD452BA0E2C6389E4EB72E
                                                                              Function 004025AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040D640
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: CtrlDispatcherServiceStart
                                                                              • String ID:
                                                                              • API String ID: 3789849863-0
                                                                              • Opcode ID: 1a9891638571a522d5843b989beb35e665980d528a5847c2a7ac3683f1b51f8a
                                                                              • Instruction ID: d45d1fb4da31336c1291b8839045fd2fe58d83eeafea799170630f4221374478
                                                                              • Opcode Fuzzy Hash: 1a9891638571a522d5843b989beb35e665980d528a5847c2a7ac3683f1b51f8a
                                                                              • Instruction Fuzzy Hash: DEA0016580C212DAC2442A905A2D4762A1CBA4E35A7219937524FB00D18A7A018E792F
                                                                              Function 02BD4603 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 442networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD4608
                                                                                • Part of subcall function 02BE3B4C: _malloc.LIBCMT ref: 02BE3B64
                                                                              • htons.WS2_32(?), ref: 02BD4669
                                                                              • htonl.WS2_32(?), ref: 02BD468C
                                                                              • htonl.WS2_32(00000000), ref: 02BD4693
                                                                              • htons.WS2_32(00000000), ref: 02BD4747
                                                                              • _sprintf.LIBCMT ref: 02BD475D
                                                                                • Part of subcall function 02BD8983: _memmove.LIBCMT ref: 02BD89A3
                                                                              • htons.WS2_32(?), ref: 02BD46B0
                                                                                • Part of subcall function 02BD972E: __EH_prolog.LIBCMT ref: 02BD9733
                                                                                • Part of subcall function 02BD972E: RtlEnterCriticalSection.NTDLL(00000020), ref: 02BD97AE
                                                                                • Part of subcall function 02BD972E: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BD97CC
                                                                                • Part of subcall function 02BD1BA7: __EH_prolog.LIBCMT ref: 02BD1BAC
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1BBC
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1BEA
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1C13
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1C56
                                                                                • Part of subcall function 02BDDEEA: __EH_prolog.LIBCMT ref: 02BDDEEF
                                                                              • htonl.WS2_32(?), ref: 02BD497C
                                                                              • htonl.WS2_32(00000000), ref: 02BD4983
                                                                              • htonl.WS2_32(00000000), ref: 02BD49C8
                                                                              • htonl.WS2_32(00000000), ref: 02BD49CF
                                                                              • htons.WS2_32(?), ref: 02BD49EF
                                                                              • htons.WS2_32(?), ref: 02BD49F9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                              • String ID: 0m~
                                                                              • API String ID: 1645262487-3166991699
                                                                              • Opcode ID: 47b1807cd5e39763565e9bd37cc036bc31747bc636c4a8432cd4d2612db7e74a
                                                                              • Instruction ID: e446785b206eff28aeab56af7ec6e53f7603f4198b73ae69a25eb7cf1c8ccd36
                                                                              • Opcode Fuzzy Hash: 47b1807cd5e39763565e9bd37cc036bc31747bc636c4a8432cd4d2612db7e74a
                                                                              • Instruction Fuzzy Hash: 99024771C00259EFDF15DFA4C844BEEBBB9AF08304F14459AE545B7280EB746A89CFA1
                                                                              Function 02BE8333 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlDecodePointer.NTDLL(?), ref: 02BE833B
                                                                              • _free.LIBCMT ref: 02BE8354
                                                                                • Part of subcall function 02BE2F74: HeapFree.KERNEL32(00000000,00000000,?,02BE5CD2,00000000,00000104,74DF0A60), ref: 02BE2F88
                                                                                • Part of subcall function 02BE2F74: GetLastError.KERNEL32(00000000,?,02BE5CD2,00000000,00000104,74DF0A60), ref: 02BE2F9A
                                                                              • _free.LIBCMT ref: 02BE8367
                                                                              • _free.LIBCMT ref: 02BE8385
                                                                              • _free.LIBCMT ref: 02BE8397
                                                                              • _free.LIBCMT ref: 02BE83A8
                                                                              • _free.LIBCMT ref: 02BE83B3
                                                                              • _free.LIBCMT ref: 02BE83D7
                                                                              • RtlEncodePointer.NTDLL(00772B78), ref: 02BE83DE
                                                                              • _free.LIBCMT ref: 02BE83F3
                                                                              • _free.LIBCMT ref: 02BE8409
                                                                              • _free.LIBCMT ref: 02BE8431
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                              • String ID: x+w
                                                                              • API String ID: 3064303923-498268428
                                                                              • Opcode ID: 97100c574edc0e43c517553f17f028624825f07269e76ad70b65d04601f7da51
                                                                              • Instruction ID: a5df09f6431a84f619de5e21e20c8ae9a97c81efecfa06add228c3e121269e0d
                                                                              • Opcode Fuzzy Hash: 97100c574edc0e43c517553f17f028624825f07269e76ad70b65d04601f7da51
                                                                              • Instruction Fuzzy Hash: 2E218032D81610CBDF256F54F8C0B0977B9EB0432872A8BA9E90657268CB30A874CFD5
                                                                              Function 02BD24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD24E6
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02BD24FC
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD250E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD256D
                                                                              • SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 02BD257F
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 02BD2599
                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02BD25A2
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BD25F0
                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02BD262F
                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02BD268E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD2699
                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02BD26AD
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 02BD26BD
                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02BD26C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                              • String ID:
                                                                              • API String ID: 1213838671-0
                                                                              • Opcode ID: 89a5c6cae11c85e9138d3e9b47fa62392e838a8af4d40df491d103d7ad4377cb
                                                                              • Instruction ID: 832d8704e53e649059a121bdf28a4ebc50235b5d863f319ca5d30d4d992b7444
                                                                              • Opcode Fuzzy Hash: 89a5c6cae11c85e9138d3e9b47fa62392e838a8af4d40df491d103d7ad4377cb
                                                                              • Instruction Fuzzy Hash: 17613E71900249AFCB50DFB4C984AEEFBB9FF08354F1049A9E916E3641EB74A914DF60
                                                                              Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(DP Free Video Converter 10.23.46,Function_0000235E), ref: 004023C1
                                                                              • SetServiceStatus.ADVAPI32(0040C418), ref: 00402420
                                                                              • GetLastError.KERNEL32 ref: 00402422
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                              • GetLastError.KERNEL32 ref: 00402450
                                                                              • SetServiceStatus.ADVAPI32(0040C418), ref: 00402480
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                                              • SetServiceStatus.ADVAPI32(0040C418), ref: 004024CA
                                                                              Strings
                                                                              • DP Free Video Converter 10.23.46, xrefs: 004023BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                              • String ID: DP Free Video Converter 10.23.46
                                                                              • API String ID: 3346042915-2979630242
                                                                              • Opcode ID: a33a88bcd344c7b05522ef3558d6f8ef27db93ab9a014718f3415c66aa7e6372
                                                                              • Instruction ID: a4e8b04a7880d9e6a7542b7f05909ed80d982c166c2c741b280d8a2201be7661
                                                                              • Opcode Fuzzy Hash: a33a88bcd344c7b05522ef3558d6f8ef27db93ab9a014718f3415c66aa7e6372
                                                                              • Instruction Fuzzy Hash: 94210770401214EBD2105F26EFE9A6A7EBCFBC9754751423EE544B22B1CBB90409CF6C
                                                                              Function 00403BA2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BBD
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BD1
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BFD
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C35
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C57
                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C70
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403C83
                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403CC1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                              • String ID: 4/@
                                                                              • API String ID: 1823725401-3101945251
                                                                              • Opcode ID: d9715bb2eede60a638f1d74c058d24820e2373c7ec377b00e43f1c9955f93e2e
                                                                              • Instruction ID: ec105e457700c611f8eb12c376b06bfccf377757ee58bbe9ab1174d08032451d
                                                                              • Opcode Fuzzy Hash: d9715bb2eede60a638f1d74c058d24820e2373c7ec377b00e43f1c9955f93e2e
                                                                              • Instruction Fuzzy Hash: 4331F27351C1245EE7202F785DC883B7E9CEA4634AB11093FF942F3380EA798E81466D
                                                                              Function 02BD3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD3428
                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02BD346B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02BD3472
                                                                              • GetLastError.KERNEL32 ref: 02BD3486
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BD34D7
                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02BD34ED
                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02BD3518
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                              • String ID: CancelIoEx$KERNEL32
                                                                              • API String ID: 2902213904-434325024
                                                                              • Opcode ID: fc18fbdba2225f98e25883b3e32cf1694370ebdabe17ec5d2836b87eb64124fc
                                                                              • Instruction ID: f86fd1886cfdbadfabae97e05a30aa97093be4d5bacd95a7ce65c78814aa117a
                                                                              • Opcode Fuzzy Hash: fc18fbdba2225f98e25883b3e32cf1694370ebdabe17ec5d2836b87eb64124fc
                                                                              • Instruction Fuzzy Hash: 11317E75900205DFDB11AF74C8447AABBF9FF48354F0488D9E9059B241EBB4D911CFA2
                                                                              Function 00406578 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404381,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 0040658A
                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065A2
                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065B3
                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004065C0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                              • API String ID: 2238633743-4044615076
                                                                              • Opcode ID: a0b46ec352b875195395f46d5bc267ff39082988a2927e7e8ea907aadebae93b
                                                                              • Instruction ID: a9d780b885e0602dd0934733115970cade34e3288e29060c7522bfbf4f1c42d3
                                                                              • Opcode Fuzzy Hash: a0b46ec352b875195395f46d5bc267ff39082988a2927e7e8ea907aadebae93b
                                                                              • Instruction Fuzzy Hash: 2C017571600201FBCB219FB5AFC096F3AE89B58690306193FB541F2291DE79C8159B68
                                                                              Function 00406857 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406899
                                                                              • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004068B5
                                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00406317,?,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 004068FE
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406936
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 0040698E
                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406317,00200020,00000000,?,00000000), ref: 004069A4
                                                                              • LCMapStringW.KERNEL32(00000000,?,00406317,00000000,00406317,?,?,00406317,00200020,00000000,?,00000000), ref: 004069D7
                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 00406A3F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: String$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 352835431-0
                                                                              • Opcode ID: 52b028058ca06a0f0bdecd6ae8d0fbaa349513228d1b77f69a1be679ce9dbea8
                                                                              • Instruction ID: bfa2f6765d0c2f53a291dd63aa28e0fd85931859619bb502a825e5ecf84f9822
                                                                              • Opcode Fuzzy Hash: 52b028058ca06a0f0bdecd6ae8d0fbaa349513228d1b77f69a1be679ce9dbea8
                                                                              • Instruction Fuzzy Hash: CD519B71500209EBCF219F94CD45EAF7BB5FB49714F12413AF912B12A0C73A8C61DB69
                                                                              Function 0040425D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004042CA
                                                                              • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004043A0
                                                                              • WriteFile.KERNEL32(00000000), ref: 004043A7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandleModuleNameWrite
                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                              • API String ID: 3784150691-4022980321
                                                                              • Opcode ID: bf8ad28efb64001b192f00e491ef6ce2a650ba3783efa5faa4453eb733959f53
                                                                              • Instruction ID: 020781dd2a094c50b4544603966d85f7b47e7f329bf5b07b80a87356522084c7
                                                                              • Opcode Fuzzy Hash: bf8ad28efb64001b192f00e491ef6ce2a650ba3783efa5faa4453eb733959f53
                                                                              • Instruction Fuzzy Hash: 7D318772600218AFDF2096609E45F9A736DAF85304F1004BFF984B61D1EA789D458A5D
                                                                              Function 02BE1610 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,7E189472), ref: 02BE16B0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BE16C5
                                                                              • ResetEvent.KERNEL32(00000000,7E189472), ref: 02BE16CF
                                                                              • CloseHandle.KERNEL32(00000000,7E189472), ref: 02BE1704
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7E189472), ref: 02BE177A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BE178F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                              • String ID:
                                                                              • API String ID: 1285874450-0
                                                                              • Opcode ID: 0dcb0700a3d933561a8d281b850eee15338e16a4c47f27c05f96bd25e0ccd377
                                                                              • Instruction ID: 0249f6d04f0c01847f75e8074e865451c005c7eedc3e760e6a8d9bb6c0998e01
                                                                              • Opcode Fuzzy Hash: 0dcb0700a3d933561a8d281b850eee15338e16a4c47f27c05f96bd25e0ccd377
                                                                              • Instruction Fuzzy Hash: 934141B0D14358AFDF10CFA9C849BADB7B8EF05764F244699E91AEB280D7349D05CB60
                                                                              Function 02BD2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD20AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BD20CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD20D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02BD213E
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02BD217A
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02BD2187
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD21A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1171374749-0
                                                                              • Opcode ID: 518cca4230f0342618e9fe0d5c883fdba27312a71af82c0657bd0c2cee5e5284
                                                                              • Instruction ID: caa83ebaedd3688ff5aa31c0e08427579fdf2f3b9b2b8980e10460e6dcf7c94c
                                                                              • Opcode Fuzzy Hash: 518cca4230f0342618e9fe0d5c883fdba27312a71af82c0657bd0c2cee5e5284
                                                                              • Instruction Fuzzy Hash: 224156715047419FC321CF25C884AABBBF9EFC8650F004A5EE89A83650EB30E549CFA2
                                                                              Function 02BE1722 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BE1ED0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02BE172E,?,?), ref: 02BE1EFF
                                                                                • Part of subcall function 02BE1ED0: CloseHandle.KERNEL32(00000000,?,?,02BE172E,?,?), ref: 02BE1F14
                                                                                • Part of subcall function 02BE1ED0: SetEvent.KERNEL32(00000000,02BE172E,?,?), ref: 02BE1F27
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,7E189472), ref: 02BE16B0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BE16C5
                                                                              • ResetEvent.KERNEL32(00000000,7E189472), ref: 02BE16CF
                                                                              • CloseHandle.KERNEL32(00000000,7E189472), ref: 02BE1704
                                                                              • __CxxThrowException@8.LIBCMT ref: 02BE1735
                                                                                • Part of subcall function 02BE455A: RaiseException.KERNEL32(?,?,02BDFB56,?,?,?,?,?,?,?,02BDFB56,?,02C00F98,?), ref: 02BE45AF
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7E189472), ref: 02BE177A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BE178F
                                                                                • Part of subcall function 02BE1C10: GetCurrentProcessId.KERNEL32(?), ref: 02BE1C69
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,7E189472), ref: 02BE179F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2227236058-0
                                                                              • Opcode ID: caa4c9f3a7b2cc60aace022da01da77f8d2fe89b35e8b9aeb4e28e3ef9280a4c
                                                                              • Instruction ID: 86e1fa108ac3648472c1fbe769ae93d783d32798e010ef90db8b6130abc2cd9e
                                                                              • Opcode Fuzzy Hash: caa4c9f3a7b2cc60aace022da01da77f8d2fe89b35e8b9aeb4e28e3ef9280a4c
                                                                              • Instruction Fuzzy Hash: FF314DB1E10308AFDF20DBA88C45BADB7B9EF05764F240199E81EEB280D7309D558B61
                                                                              Function 02BE5D94 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 02BE5D94
                                                                                • Part of subcall function 02BE8503: RtlEncodePointer.NTDLL(00000000), ref: 02BE8506
                                                                                • Part of subcall function 02BE8503: __initp_misc_winsig.LIBCMT ref: 02BE8521
                                                                                • Part of subcall function 02BE8503: GetModuleHandleW.KERNEL32(kernel32.dll,?,02C01598,00000008,00000003,02C00F7C,?,00000001), ref: 02BE9281
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02BE9295
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02BE92A8
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02BE92BB
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02BE92CE
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02BE92E1
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02BE92F4
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02BE9307
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02BE931A
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02BE932D
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02BE9340
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02BE9353
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02BE9366
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02BE9379
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02BE938C
                                                                                • Part of subcall function 02BE8503: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02BE939F
                                                                              • __mtinitlocks.LIBCMT ref: 02BE5D99
                                                                              • __mtterm.LIBCMT ref: 02BE5DA2
                                                                                • Part of subcall function 02BE5E0A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02BE8939
                                                                                • Part of subcall function 02BE5E0A: _free.LIBCMT ref: 02BE8940
                                                                                • Part of subcall function 02BE5E0A: RtlDeleteCriticalSection.NTDLL(02C03978), ref: 02BE8962
                                                                              • __calloc_crt.LIBCMT ref: 02BE5DC7
                                                                              • __initptd.LIBCMT ref: 02BE5DE9
                                                                              • GetCurrentThreadId.KERNEL32 ref: 02BE5DF0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 3567560977-0
                                                                              • Opcode ID: b2ae0eb4bf7a2efe4985cb73a5dbe0385cf3380c5766814dc65c044de62d57a8
                                                                              • Instruction ID: 2ce39457998ed4ca9bb053b0cb12edc0a57bf042702728662320c68580bac2b7
                                                                              • Opcode Fuzzy Hash: b2ae0eb4bf7a2efe4985cb73a5dbe0385cf3380c5766814dc65c044de62d57a8
                                                                              • Instruction Fuzzy Hash: 3EF0B432558B112EEE7876757C8974F2782DF01738B6106D9E467D60E4FF21C4914BA1
                                                                              Function 02BE34C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02BE3473,00000000), ref: 02BE34DB
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02BE34E2
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02BE34EE
                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02BE350B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 3489934621-340411864
                                                                              • Opcode ID: 35670267123929433c44c94faba39429882213c512de7cb79a4fd95aa4df9541
                                                                              • Instruction ID: d2ef27509c671287392dfe7d38613ab9b1241b7ca97b1e3a1c55873af7f2c954
                                                                              • Opcode Fuzzy Hash: 35670267123929433c44c94faba39429882213c512de7cb79a4fd95aa4df9541
                                                                              • Instruction Fuzzy Hash: 9CE01270ED0340ABEF505F75EC49F1737A9A700746F1049E4F602D6294CBB552789F54
                                                                              Function 02BE3596 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02BE34B0), ref: 02BE35B0
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02BE35B7
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02BE35C2
                                                                              • RtlDecodePointer.NTDLL(02BE34B0), ref: 02BE35DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: 12a35b9191324b076481836111bef7b57a3e787196b6ff557a2ee2b1a6e87ab7
                                                                              • Instruction ID: 910fe6d08a3d48d817ee1e491c026dfc603b6f03bc85cbd42b48c2976ecbdfaa
                                                                              • Opcode Fuzzy Hash: 12a35b9191324b076481836111bef7b57a3e787196b6ff557a2ee2b1a6e87ab7
                                                                              • Instruction Fuzzy Hash: B4E09270ED0304ABEA909F60AD4DB167AADB700749F2149D4F20292299DBB59278DA58
                                                                              Function 02BE1F30 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(0000002C,7E189472,?,?,?,?,00000000,02BF6AB8,000000FF,02BE21CA), ref: 02BE1F6A
                                                                              • TlsSetValue.KERNEL32(0000002C,02BE21CA,?,?,00000000), ref: 02BE1FD7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BE2001
                                                                              • HeapFree.KERNEL32(00000000), ref: 02BE2004
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapValue$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 1812714009-0
                                                                              • Opcode ID: a28d0f7505f1ace4df69b7c50e40ac3290dd9b550af27a00e9e6342ba04d3a28
                                                                              • Instruction ID: 520e38aefc7cae67a7a52f1c3ec9592b3806a67fd4bec93590adf3d5978e67f4
                                                                              • Opcode Fuzzy Hash: a28d0f7505f1ace4df69b7c50e40ac3290dd9b550af27a00e9e6342ba04d3a28
                                                                              • Instruction Fuzzy Hash: 8C51AE359043449FDB20CF29C844B1ABBE9FF48764F198A99E82A972D5D731EC00CB91
                                                                              Function 02BF5680 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02BF5790
                                                                              • __FindPESection.LIBCMT ref: 02BF57AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                              • String ID:
                                                                              • API String ID: 876702719-0
                                                                              • Opcode ID: beef0e2a5a891a0726993273c10026ba5405d322acfdc5720ed3bc0e8291912b
                                                                              • Instruction ID: 62d188f141061ed5842ce45f81bb06e2cc79b11df58151d7ee36beb38dc40af6
                                                                              • Opcode Fuzzy Hash: beef0e2a5a891a0726993273c10026ba5405d322acfdc5720ed3bc0e8291912b
                                                                              • Instruction Fuzzy Hash: 96A1E071E007158FDB78CF28D8847ADB7A5EB48325F9546A9DE15AB391E730E808CB90
                                                                              Function 0040670E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040674D
                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 00406767
                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040679B
                                                                              • MultiByteToWideChar.KERNEL32(00406317,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004067D3
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406829
                                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040683B
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: StringType$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 3852931651-0
                                                                              • Opcode ID: 773bae316822cb58e3f9949346ace8707e6d4ebf412f3a77ab6d13d65b0a9b3b
                                                                              • Instruction ID: 8ac2037c816029e642a9b4ec2df7aab8045e17b8c7d4a01b19cad4fbac0790f4
                                                                              • Opcode Fuzzy Hash: 773bae316822cb58e3f9949346ace8707e6d4ebf412f3a77ab6d13d65b0a9b3b
                                                                              • Instruction Fuzzy Hash: 6D418D72501209EFCF209F94CD85EAF3B79FB04714F11453AF912B2290D73989618BA9
                                                                              Function 02BD1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD1CB1
                                                                              • CloseHandle.KERNEL32(?), ref: 02BD1CBA
                                                                              • InterlockedExchangeAdd.KERNEL32(02C0727C,00000000), ref: 02BD1CC6
                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02BD1CD4
                                                                              • QueueUserAPC.KERNEL32(02BD1E7C,?,00000000), ref: 02BD1CE1
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02BD1CEC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                              • String ID:
                                                                              • API String ID: 1946104331-0
                                                                              • Opcode ID: 11ea5de120cca8d6ea52e1c9912285cb6c7d83c3687c1c2076c1ad89bdc19544
                                                                              • Instruction ID: db11da789ef618041a3201f9223af30d587300f3c76718633ea7343876005fef
                                                                              • Opcode Fuzzy Hash: 11ea5de120cca8d6ea52e1c9912285cb6c7d83c3687c1c2076c1ad89bdc19544
                                                                              • Instruction Fuzzy Hash: 80F08131550204BFE7104BA9ED0DD97FBBCEF49720B004699F62AC2590DF606910DB20
                                                                              Function 00403EAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32 ref: 00403ECB
                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F00
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F60
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                              • API String ID: 1385375860-4131005785
                                                                              • Opcode ID: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                              • Instruction ID: b9728f854654bad712525c43123df79641ae2587965f18a3091eb02ea7af310c
                                                                              • Opcode Fuzzy Hash: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                              • Instruction Fuzzy Hash: 42312771D002896DEB319A309C45BDA7F7C9B12309F2400FBE545F52C2D6398F8A8718
                                                                              Function 02BE1930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02BE197F
                                                                                • Part of subcall function 02BE24D3: std::exception::_Copy_str.LIBCMT ref: 02BE24EC
                                                                                • Part of subcall function 02BE0D50: __CxxThrowException@8.LIBCMT ref: 02BE0DAE
                                                                              • std::exception::exception.LIBCMT ref: 02BE19DE
                                                                              Strings
                                                                              • boost unique_lock owns already the mutex, xrefs: 02BE19CD
                                                                              • boost unique_lock has no mutex, xrefs: 02BE196E
                                                                              • $, xrefs: 02BE19E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                              • API String ID: 2140441600-46888669
                                                                              • Opcode ID: 910a1d11c62d3f6ff797f3edebead97a0fa24a10174725e00ae8a015ba21470e
                                                                              • Instruction ID: 3f086a5253aabbe268f96d3f962c583561c750b91ad653503d0825bf5dea0da6
                                                                              • Opcode Fuzzy Hash: 910a1d11c62d3f6ff797f3edebead97a0fa24a10174725e00ae8a015ba21470e
                                                                              • Instruction Fuzzy Hash: FA2128B15183849FDB50DF24C54475BBBE9BF88708F004E9DF9A687280D7B59808CF92
                                                                              Function 02BD2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2350
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2360
                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BD2370
                                                                              • GetLastError.KERNEL32 ref: 02BD237A
                                                                                • Part of subcall function 02BD1712: __EH_prolog.LIBCMT ref: 02BD1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID: pqcs
                                                                              • API String ID: 1619523792-2559862021
                                                                              • Opcode ID: f0733b4bfbcb4bd78a2e25a843c617d8c38df61d85bc26b1a6765f00a479eda8
                                                                              • Instruction ID: d7ec8a683fccb0f72bb04e5673f392ffb48a413b0f0b945b61c672fc5367cd5a
                                                                              • Opcode Fuzzy Hash: f0733b4bfbcb4bd78a2e25a843c617d8c38df61d85bc26b1a6765f00a479eda8
                                                                              • Instruction Fuzzy Hash: 90F05471940304AFDB20AFB49809BABBBBCEF00741F0049E9E905D3540FB70D9549B91
                                                                              Function 02BD4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD4035
                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02BD4042
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02BD4049
                                                                              • std::exception::exception.LIBCMT ref: 02BD4063
                                                                                • Part of subcall function 02BDA6C1: __EH_prolog.LIBCMT ref: 02BDA6C6
                                                                                • Part of subcall function 02BDA6C1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BDA6D5
                                                                                • Part of subcall function 02BDA6C1: __CxxThrowException@8.LIBCMT ref: 02BDA6F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3112922283-2104205924
                                                                              • Opcode ID: 15a3c6ef29e66f7837e95682e2ae44bc6e02f206050e86c4e01b2d59abc4c93e
                                                                              • Instruction ID: 381436fa275baec9866cf98ab8ac497fa2d1189375ff1f09fdbbd82d8ad86b99
                                                                              • Opcode Fuzzy Hash: 15a3c6ef29e66f7837e95682e2ae44bc6e02f206050e86c4e01b2d59abc4c93e
                                                                              • Instruction Fuzzy Hash: 24F08C72E40209EBDB50EFE4C808BEFBB79EF04340F8045D9EA16A2680EB3452188F51
                                                                              Function 00403CD4 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403D2D
                                                                              • GetFileType.KERNEL32(00000800), ref: 00403DD3
                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403E2C
                                                                              • GetFileType.KERNEL32(00000000), ref: 00403E3A
                                                                              • SetHandleCount.KERNEL32 ref: 00403E71
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                              • String ID:
                                                                              • API String ID: 1710529072-0
                                                                              • Opcode ID: f982337ddfb62dc50d0dbbad224f25157b3b98fe873585f58ad7db729dbe21f7
                                                                              • Instruction ID: 179cbcfb0f8150e68f98095ab4b2e92c056dfdbe1ab8c26b2315e3696066d9ad
                                                                              • Opcode Fuzzy Hash: f982337ddfb62dc50d0dbbad224f25157b3b98fe873585f58ad7db729dbe21f7
                                                                              • Instruction Fuzzy Hash: 415148716046418BD7218F38CD847567FA8AF11322F15433EE8A2FB3E0C7389A49DB49
                                                                              Function 02BE1C80 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BE1A50: CloseHandle.KERNEL32(00000000,7E189472), ref: 02BE1AA1
                                                                                • Part of subcall function 02BE1A50: WaitForSingleObject.KERNEL32(?,000000FF,7E189472,?,?,?,?,7E189472,02BE1A23,7E189472), ref: 02BE1AB8
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BE1D1E
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BE1D3E
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02BE1D77
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02BE1DCB
                                                                              • SetEvent.KERNEL32(?), ref: 02BE1DD2
                                                                                • Part of subcall function 02BD418C: CloseHandle.KERNEL32(00000000,?,02BE1D05), ref: 02BD41B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 4166353394-0
                                                                              • Opcode ID: 839cea047387645670e4652cd19e65eb24ec070a88a0f55ba9d97bb6772ffe5a
                                                                              • Instruction ID: 62050da5f4b86af662fbb534c3785d4294c3675a2421d8feef62853174a00d55
                                                                              • Opcode Fuzzy Hash: 839cea047387645670e4652cd19e65eb24ec070a88a0f55ba9d97bb6772ffe5a
                                                                              • Instruction Fuzzy Hash: 0541F0316103019BDF269F2DCC80B2AB7A4EF85324F2486E8EC1EDB295D734DC518BA1
                                                                              Function 02BD207C Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD20AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BD20CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD20D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02BD213E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD21A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1611172436-0
                                                                              • Opcode ID: c6d3d23640bef2904587cd777000fbd23af2166248fc9be77b254c56f00ccbcf
                                                                              • Instruction ID: 8f200515af978629af5fbb590e9a50341cb4eafa3e0f4609aa77894fdd40c078
                                                                              • Opcode Fuzzy Hash: c6d3d23640bef2904587cd777000fbd23af2166248fc9be77b254c56f00ccbcf
                                                                              • Instruction Fuzzy Hash: BC319C725047019FC311CF25C884AABF7F9EFC8654F144A5EE85A83650EB30E446DB91
                                                                              Function 02BDE0EF Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDE0F4
                                                                                • Part of subcall function 02BD1A01: TlsGetValue.KERNEL32 ref: 02BD1A0A
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BDE173
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BDE18F
                                                                              • InterlockedIncrement.KERNEL32(02C05190), ref: 02BDE1B4
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BDE1C9
                                                                                • Part of subcall function 02BD27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02BD284E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                              • String ID:
                                                                              • API String ID: 1578506061-0
                                                                              • Opcode ID: 5ab23098adbea2bffa64372d045b57fb7df6472ad2fa3525ae3cf10f9c106f49
                                                                              • Instruction ID: 83e6d22feb06e7fea3463b351cb6d6a9fed6bdd6bb73381787c688876cf54d8d
                                                                              • Opcode Fuzzy Hash: 5ab23098adbea2bffa64372d045b57fb7df6472ad2fa3525ae3cf10f9c106f49
                                                                              • Instruction Fuzzy Hash: 353147B19012059FCB50DFA9C544AEEBBF8FF08310F04899ED94AE7600E774AA14CFA0
                                                                              Function 02BF03A4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02BF03B0
                                                                                • Part of subcall function 02BE2FAC: __FF_MSGBANNER.LIBCMT ref: 02BE2FC3
                                                                                • Part of subcall function 02BE2FAC: __NMSG_WRITE.LIBCMT ref: 02BE2FCA
                                                                                • Part of subcall function 02BE2FAC: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 02BE2FEF
                                                                              • _free.LIBCMT ref: 02BF03C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free_malloc
                                                                              • String ID:
                                                                              • API String ID: 1020059152-0
                                                                              • Opcode ID: 7076212b487fcb9cc845695675c58f8361f1b65eba46a9f758efe44ca39b1df5
                                                                              • Instruction ID: 7c8bcd8b18c3e3e90ddc93ee35e69a4d24d829ae56805df6e0d2f3074d4f7bb8
                                                                              • Opcode Fuzzy Hash: 7076212b487fcb9cc845695675c58f8361f1b65eba46a9f758efe44ca39b1df5
                                                                              • Instruction Fuzzy Hash: E0110632804615ABCFB13F74A84475A37A9DF043B8F148DE5FB5B9A169DF308854CB94
                                                                              Function 02BD21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD21DA
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD21ED
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02BD2224
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02BD2237
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02BD2261
                                                                                • Part of subcall function 02BD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2350
                                                                                • Part of subcall function 02BD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2360
                                                                                • Part of subcall function 02BD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BD2370
                                                                                • Part of subcall function 02BD2341: GetLastError.KERNEL32 ref: 02BD237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: 5950170075a4646b6b4b7780dcb24e4c07c14f708c0de3652f5a33f9dce8a0e3
                                                                              • Instruction ID: f213d79227f2dcb371901bbfd43d84acbcb5a1cb28dcb4f83b4533c5311ca6ce
                                                                              • Opcode Fuzzy Hash: 5950170075a4646b6b4b7780dcb24e4c07c14f708c0de3652f5a33f9dce8a0e3
                                                                              • Instruction Fuzzy Hash: C6118C72D04119EBCF159FA8D844BEEBBBAFF54350F0045AAF911A3261EB714625DF80
                                                                              Function 02BD2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD229D
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BD22B0
                                                                              • TlsGetValue.KERNEL32 ref: 02BD22E7
                                                                              • TlsSetValue.KERNEL32(?), ref: 02BD2300
                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02BD231C
                                                                                • Part of subcall function 02BD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2350
                                                                                • Part of subcall function 02BD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2360
                                                                                • Part of subcall function 02BD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BD2370
                                                                                • Part of subcall function 02BD2341: GetLastError.KERNEL32 ref: 02BD237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: b5f2cf5f6983ce3de8ca5f13ff12850094cc361c01c0560c6762a874719bd118
                                                                              • Instruction ID: d369cbe6c3bd6c56bfbee94a919a22e61111394244c226e56d32543526df20f9
                                                                              • Opcode Fuzzy Hash: b5f2cf5f6983ce3de8ca5f13ff12850094cc361c01c0560c6762a874719bd118
                                                                              • Instruction Fuzzy Hash: BE115B72D00119EBCB15AFA8DC44AAEFFBAFF58310F0045AAE805A3251DB715A25DF90
                                                                              Function 02BDBD09 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02BDB15C: __EH_prolog.LIBCMT ref: 02BDB161
                                                                              • __CxxThrowException@8.LIBCMT ref: 02BDBD26
                                                                                • Part of subcall function 02BE455A: RaiseException.KERNEL32(?,?,02BDFB56,?,?,?,?,?,?,?,02BDFB56,?,02C00F98,?), ref: 02BE45AF
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02C01DB4,?,00000001), ref: 02BDBD3C
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BDBD4F
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02C01DB4,?,00000001), ref: 02BDBD5F
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BDBD6D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2725315915-0
                                                                              • Opcode ID: d4ff32a7a53f21b3585403496122531dbb8c73b8d98e3eddb11a6459bf363022
                                                                              • Instruction ID: 28349bf11244c7e76f4de68f5a3c5c13231ef18627548ef107eb1a2086120468
                                                                              • Opcode Fuzzy Hash: d4ff32a7a53f21b3585403496122531dbb8c73b8d98e3eddb11a6459bf363022
                                                                              • Instruction Fuzzy Hash: 7501D672A00308AFDB109EB4DC88F86B7ADEF04758F004594F616D3690DB60E8448B10
                                                                              Function 02BD2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BD2432
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BD2445
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD2454
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2469
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD2470
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 747265849-0
                                                                              • Opcode ID: 67b1fef8745549b29d95764890a35a0d8246db12d0577d8dabf40426a972886e
                                                                              • Instruction ID: b3252ddc97249141c27ec4850ef4a9c47759976a9f4e64b0c7a439662bd9bc22
                                                                              • Opcode Fuzzy Hash: 67b1fef8745549b29d95764890a35a0d8246db12d0577d8dabf40426a972886e
                                                                              • Instruction Fuzzy Hash: 01F06D72640200BBD6409AB0ED49FD6B72CFF04751F804491FB01D7880EBA0F920DBA4
                                                                              Function 02BD1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02BD1ED2
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02BD1EEA
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD1EF9
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD1F0E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD1F15
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 830998967-0
                                                                              • Opcode ID: aa05cc715191f5d7b147c26acc5e19421c398f0af9ecf1a0b11618ec88136804
                                                                              • Instruction ID: 5537f036fd4b7a4e7e95f464beb8ddcd1f9bf5ab8a09b10b033956cad0ee6bfa
                                                                              • Opcode Fuzzy Hash: aa05cc715191f5d7b147c26acc5e19421c398f0af9ecf1a0b11618ec88136804
                                                                              • Instruction Fuzzy Hash: EBF06732640205BBD740AFA5EC88FC6BB2DFF04381F000492F30187840DB60A9249BA4
                                                                              Function 02BD8746 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: invalid string position$string too long
                                                                              • API String ID: 4104443479-4289949731
                                                                              • Opcode ID: ad428f35b666457e9b5f1af0111cccec882dfd6ba4d84fc957f1839f4b4a9ce0
                                                                              • Instruction ID: fe1d18c90a0a258208244675da6424f37a78a845993b8513f237fed409c26f85
                                                                              • Opcode Fuzzy Hash: ad428f35b666457e9b5f1af0111cccec882dfd6ba4d84fc957f1839f4b4a9ce0
                                                                              • Instruction Fuzzy Hash: 4741D6313003009BD734DE69DC80EAAB7BAEB41755B0009ADE956C7381E771F806CBA0
                                                                              Function 02BD30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02BD30C3
                                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02BD3102
                                                                              • _memcmp.LIBCMT ref: 02BD3141
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressErrorLastString_memcmp
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 1618111833-2422070025
                                                                              • Opcode ID: be8d57befb52837d19a0137bdd6ef96fec3fc9ac4e74f28e12b8d712873731b3
                                                                              • Instruction ID: c2f6a2854f38aa05680cb64877ace3cd72c405465b4ac2b300d55f563d66740e
                                                                              • Opcode Fuzzy Hash: be8d57befb52837d19a0137bdd6ef96fec3fc9ac4e74f28e12b8d712873731b3
                                                                              • Instruction Fuzzy Hash: D731B571E0030A9FDB20AF74C88079EB7E5FF45324F1049E9E95567281EBB19981CF91
                                                                              Function 02BDCD9B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDCDA0
                                                                                • Part of subcall function 02BDD35E: std::exception::exception.LIBCMT ref: 02BDD38B
                                                                                • Part of subcall function 02BDDB74: __EH_prolog.LIBCMT ref: 02BDDB79
                                                                                • Part of subcall function 02BE3B4C: _malloc.LIBCMT ref: 02BE3B64
                                                                                • Part of subcall function 02BDD3BB: __EH_prolog.LIBCMT ref: 02BDD3C0
                                                                              Strings
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BDCDDD
                                                                              • Xrv, xrefs: 02BDCE2F, 02BDCE57
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02BDCDD6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$Xrv$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                              • API String ID: 1953324306-3686757134
                                                                              • Opcode ID: 2cf6d96cff8f870d74960f1d01a1d72b70129bfb048ee327415ec9f437813382
                                                                              • Instruction ID: 1c11ca7d8ba16ab163321d5d2cbda12cf79585edcad55b0fb6b333e2941585a6
                                                                              • Opcode Fuzzy Hash: 2cf6d96cff8f870d74960f1d01a1d72b70129bfb048ee327415ec9f437813382
                                                                              • Instruction Fuzzy Hash: 3A219E72E012099BDB18EFA8D444BEEBBB5EF44704F0445DDE906A7240EB706A08CF91
                                                                              Function 02BD972E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD9733
                                                                                • Part of subcall function 02BD1BA7: __EH_prolog.LIBCMT ref: 02BD1BAC
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1BBC
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1BEA
                                                                                • Part of subcall function 02BD1BA7: RtlEnterCriticalSection.NTDLL ref: 02BD1C13
                                                                                • Part of subcall function 02BD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BD1C56
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BD97AE
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BD97CC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                              • String ID: 0m~
                                                                              • API String ID: 1633115879-3166991699
                                                                              • Opcode ID: bc2175c6e2fd95c91e47bf9d6b6ec4ee684f021cede0d97c74882e32c80d0476
                                                                              • Instruction ID: 23fdec8ae6e9d8c32644a1086c9c3c6c72b4884d94ea8919cd9c95a903fb165c
                                                                              • Opcode Fuzzy Hash: bc2175c6e2fd95c91e47bf9d6b6ec4ee684f021cede0d97c74882e32c80d0476
                                                                              • Instruction Fuzzy Hash: 63214C71900B019FC324DF69D580B97FBF5FF08711F508A6EE68A87A50E774A514CB94
                                                                              Function 02BD1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD1F5B
                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02BD1FC5
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 02BD1FD2
                                                                                • Part of subcall function 02BD1712: __EH_prolog.LIBCMT ref: 02BD1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                              • String ID: iocp
                                                                              • API String ID: 998023749-976528080
                                                                              • Opcode ID: 5931b083605a9e6c4bd7812824de827275305cfd2b35814a4c996c0ab45d0c42
                                                                              • Instruction ID: 4110e7ebdca8ffe7c137d792a581acfe68d06ba46f12ad500372c8127e8caaf4
                                                                              • Opcode Fuzzy Hash: 5931b083605a9e6c4bd7812824de827275305cfd2b35814a4c996c0ab45d0c42
                                                                              • Instruction Fuzzy Hash: 9621B4B1901B449FC720DF6AC54455BFBF8FF94720B108A5FE5A683A60D7B0A644CF91
                                                                              Function 02BE3B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02BE3B64
                                                                                • Part of subcall function 02BE2FAC: __FF_MSGBANNER.LIBCMT ref: 02BE2FC3
                                                                                • Part of subcall function 02BE2FAC: __NMSG_WRITE.LIBCMT ref: 02BE2FCA
                                                                                • Part of subcall function 02BE2FAC: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 02BE2FEF
                                                                              • std::exception::exception.LIBCMT ref: 02BE3B82
                                                                              • __CxxThrowException@8.LIBCMT ref: 02BE3B97
                                                                                • Part of subcall function 02BE455A: RaiseException.KERNEL32(?,?,02BDFB56,?,?,?,?,?,?,?,02BDFB56,?,02C00F98,?), ref: 02BE45AF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3074076210-2104205924
                                                                              • Opcode ID: cba2010d17fdbc1f800f9e69fa187575577388dce9eb379bb5e7a9b71d6d3ed5
                                                                              • Instruction ID: 895c4894eafdc54819a450675a8dada4727ebfd35753829fb62662aca5b5c979
                                                                              • Opcode Fuzzy Hash: cba2010d17fdbc1f800f9e69fa187575577388dce9eb379bb5e7a9b71d6d3ed5
                                                                              • Instruction Fuzzy Hash: 4DE0307190020EA6DF00FEA4CD419AF77BEAB00314F4045D59D17A6591DB719A54DA91
                                                                              Function 02BD37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD37B6
                                                                              • __localtime64.LIBCMT ref: 02BD37C1
                                                                                • Part of subcall function 02BE2600: __gmtime64_s.LIBCMT ref: 02BE2613
                                                                              • std::exception::exception.LIBCMT ref: 02BD37D9
                                                                                • Part of subcall function 02BE24D3: std::exception::_Copy_str.LIBCMT ref: 02BE24EC
                                                                                • Part of subcall function 02BDA51F: __EH_prolog.LIBCMT ref: 02BDA524
                                                                                • Part of subcall function 02BDA51F: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BDA533
                                                                                • Part of subcall function 02BDA51F: __CxxThrowException@8.LIBCMT ref: 02BDA552
                                                                              Strings
                                                                              • could not convert calendar time to UTC time, xrefs: 02BD37CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                              • String ID: could not convert calendar time to UTC time
                                                                              • API String ID: 1963798777-2088861013
                                                                              • Opcode ID: 553e7d7f3a9bb7fa7865506f3f66b1f289216e865c46e3054ec1a515883868e1
                                                                              • Instruction ID: eb979545dcf1eee0fa476e24a40eaeb0d7e34244ab94a299058983fb854733a6
                                                                              • Opcode Fuzzy Hash: 553e7d7f3a9bb7fa7865506f3f66b1f289216e865c46e3054ec1a515883868e1
                                                                              • Instruction Fuzzy Hash: 0BE06DB2D0120A9BCF14EFA4D800BEFBBBAEF04304F4045D9D912A2941EB3446098F84
                                                                              Function 0040315A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,00402E6A), ref: 0040315F
                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040316F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                              • API String ID: 1646373207-3105848591
                                                                              • Opcode ID: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                              • Instruction ID: 396ae008ee37b43aaac66eedf252cb0d6854bca9fd0baad0eaa83bc1c4717f20
                                                                              • Opcode Fuzzy Hash: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                              • Instruction Fuzzy Hash: 14C01270380B00A6EA201FB20F0AB2628AC1B48B03F1800BEA289F81C0CE7CC600843D
                                                                              Function 00404C1C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040403A), ref: 00404C3D
                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040403A), ref: 00404C61
                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040403A), ref: 00404C7B
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040403A), ref: 00404D3C
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040403A), ref: 00404D53
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual$FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 714016831-0
                                                                              • Opcode ID: d30a978d9bc7417a469256f3e8976692263147ba1eac3779cca18a805df5e5ef
                                                                              • Instruction ID: 8342ab3d1522dc40559259ebd5fae4daf869060c5d00d2c0d6368defdd81eeaa
                                                                              • Opcode Fuzzy Hash: d30a978d9bc7417a469256f3e8976692263147ba1eac3779cca18a805df5e5ef
                                                                              • Instruction Fuzzy Hash: C531C2B15417019BE3248F24EE45B22B7E0EB88755F11863AEA55B73E1EB78A804CB5C
                                                                              Function 0040443E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00008000,00004000,74DEDFF0,?,00000000), ref: 00404696
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004046F1
                                                                              • HeapFree.KERNEL32(00000000,?), ref: 00404703
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Free$Virtual$Heap
                                                                              • String ID: 4/@
                                                                              • API String ID: 2016334554-3101945251
                                                                              • Opcode ID: 199a36f977281599ad5afd87853ae24f4074e0c008a667361992956c0e030d6f
                                                                              • Instruction ID: 78bd1f862fe0b28b52f27270d0fa5238b1a9d3d64e45df471a1af09ca5d00069
                                                                              • Opcode Fuzzy Hash: 199a36f977281599ad5afd87853ae24f4074e0c008a667361992956c0e030d6f
                                                                              • Instruction Fuzzy Hash: 95B19EB4A01205DFDB14DF44CAD0A69BBA1FB88318F24C1AEDA196F392C735ED45CB84
                                                                              Function 02BEC3E9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AdjustPointer_memmove
                                                                              • String ID:
                                                                              • API String ID: 1721217611-0
                                                                              • Opcode ID: d683a934f294e62e276e1e43bd6f622c506fc5d31c48b22bd76729298b8e764d
                                                                              • Instruction ID: fca2466acc140cd6bfaf5be6d0b1f86eebad18f2f1ed903b26444bee3c06c5f2
                                                                              • Opcode Fuzzy Hash: d683a934f294e62e276e1e43bd6f622c506fc5d31c48b22bd76729298b8e764d
                                                                              • Instruction Fuzzy Hash: E141B5766043029FEF299E69D842B7A3BE9EF41354F2404AFE9478A1D2DB71D580CF14
                                                                              Function 02BE1320 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BD4149), ref: 02BE13BF
                                                                                • Part of subcall function 02BD3FDC: __EH_prolog.LIBCMT ref: 02BD3FE1
                                                                                • Part of subcall function 02BD3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02BD3FF3
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BE13B4
                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02BD4149), ref: 02BE1400
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02BD4149), ref: 02BE14D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                              • String ID:
                                                                              • API String ID: 2825413587-0
                                                                              • Opcode ID: f75e505978808c9df71936903fe5ed2067053366dccf5ffe6335b902edab715a
                                                                              • Instruction ID: 8dce8fb44535552fe8446c89c18559b1655e6d63f4171fb87f074cdc33f0a627
                                                                              • Opcode Fuzzy Hash: f75e505978808c9df71936903fe5ed2067053366dccf5ffe6335b902edab715a
                                                                              • Instruction Fuzzy Hash: 70519FB16003459BDF11DF28C884B5A77E4EF48368F2946A8E86E97390EB35DC05CF91
                                                                              Function 02BE37AD Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                              • String ID:
                                                                              • API String ID: 2782032738-0
                                                                              • Opcode ID: 0f85ed940c6d56133a0b6a9dcb7d8327fee3612a615be86a27bf3e8a21ccc4b7
                                                                              • Instruction ID: fa5a55f2f8114a7cc0502c5beeaf66019b9ae49abf662ce5b8554ee5121f5c71
                                                                              • Opcode Fuzzy Hash: 0f85ed940c6d56133a0b6a9dcb7d8327fee3612a615be86a27bf3e8a21ccc4b7
                                                                              • Instruction Fuzzy Hash: 87419371B00706ABDF289EA9C89197E77E6EF45364B1482FDE867C7240D771E941CB40
                                                                              Function 02BEFF15 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BEFF4B
                                                                              • __isleadbyte_l.LIBCMT ref: 02BEFF79
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02BEFFA7
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02BEFFDD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: 7fa106cb64989c2793d7d68e0bcefdec798bf3f82ee91826ad262f2271c9ebe4
                                                                              • Instruction ID: 0a0182f83dda57cc7178d8e77aa445b05eacc83427f11205e298dd070a5c501a
                                                                              • Opcode Fuzzy Hash: 7fa106cb64989c2793d7d68e0bcefdec798bf3f82ee91826ad262f2271c9ebe4
                                                                              • Instruction Fuzzy Hash: 5B312332A02246AFDF218E74C844BBABBBAFF42354F1544A8F86687590D730D851DBD1
                                                                              Function 02BD3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • htons.WS2_32(?), ref: 02BD3DA2
                                                                                • Part of subcall function 02BD3BD3: __EH_prolog.LIBCMT ref: 02BD3BD8
                                                                                • Part of subcall function 02BD3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02BD3BED
                                                                              • htonl.WS2_32(00000000), ref: 02BD3DB9
                                                                              • htonl.WS2_32(00000000), ref: 02BD3DC0
                                                                              • htons.WS2_32(?), ref: 02BD3DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 3882411702-0
                                                                              • Opcode ID: 24c6070d6c6b0d4a76b86d78d83bcbaadcb2acbba1e558044868e7a0266b7005
                                                                              • Instruction ID: b6e8d4c30a6622dcfa62593108fa6e84bb52220b31dba93b2350ee397c67f4d2
                                                                              • Opcode Fuzzy Hash: 24c6070d6c6b0d4a76b86d78d83bcbaadcb2acbba1e558044868e7a0266b7005
                                                                              • Instruction Fuzzy Hash: 64118E35A00209EFCF019F64D885A9AB7B9EF09310F0084D6FD09DF205EA719A64DBA2
                                                                              Function 02BD239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02BD23D0
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD23DE
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD2401
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD2408
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 2e650cdb17d7a97ad40160556f03f24365f2f01efc5c92737f760daad3745612
                                                                              • Instruction ID: f287417d488c9c1edcf0667ba75ef88aa30688a64755b1187925b84dfd4cdcae
                                                                              • Opcode Fuzzy Hash: 2e650cdb17d7a97ad40160556f03f24365f2f01efc5c92737f760daad3745612
                                                                              • Instruction Fuzzy Hash: 5011CE31600205AFEB109F60D984BA7BBB9FF40759F1044EDEA019B501EBB1F911DFA0
                                                                              Function 02BEC83B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: aea26c3290b5614c324c4ca1fccbd5fd89203ba64cd71603a437dcde234d570b
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: 8C010B3600014AFBCF166E94DD41CEE3F76BB18354B488596FE2A59131D336D9B1AB81
                                                                              Function 02BD247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BD24A9
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02BD24B8
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02BD24CD
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02BD24D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 309c5d3c1da0b75a945b2875922627caeec5520d254ae00acab7a35de77f0f51
                                                                              • Instruction ID: c9b1f9fba971965ac861dec93c99a4d49a302efd9eb81298b87f581070240e54
                                                                              • Opcode Fuzzy Hash: 309c5d3c1da0b75a945b2875922627caeec5520d254ae00acab7a35de77f0f51
                                                                              • Instruction Fuzzy Hash: C6F03C72640205AFDB40AFA9E844F9ABBACFF44751F004499FB05CB541DBB1E5608FA0
                                                                              Function 02BD2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD2009
                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02BD2028
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BD2037
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02BD204E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                              • String ID:
                                                                              • API String ID: 2456309408-0
                                                                              • Opcode ID: 394b8e19b6fbf8c23eb8acdc04dac2271e0342de549b18a35e640703a0e781da
                                                                              • Instruction ID: 405ab5a3fbff67251b831fe63979d7c1933af921d309f3ae077d044030ec8abf
                                                                              • Opcode Fuzzy Hash: 394b8e19b6fbf8c23eb8acdc04dac2271e0342de549b18a35e640703a0e781da
                                                                              • Instruction Fuzzy Hash: A701A9715007049BC738AF68E808BEABBF8FF04309F4049DEEA4683990DB716958CF94
                                                                              Function 02BD1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$H_prologSleep
                                                                              • String ID:
                                                                              • API String ID: 1765829285-0
                                                                              • Opcode ID: 67143f690b663b04a0075ff681fa7f72121cec177e070821acd0dfa9851d0124
                                                                              • Instruction ID: 8c7b40df5ee3f4e7de51ace6defded4d2152b4c550ab8ebc249db1a4a741c3e8
                                                                              • Opcode Fuzzy Hash: 67143f690b663b04a0075ff681fa7f72121cec177e070821acd0dfa9851d0124
                                                                              • Instruction Fuzzy Hash: DAF05E36A40110EFCB009FA8D8C8B88BBA4FF0D311F5081E9FA1ADB290CB759954DB61
                                                                              Function 02BD9F4C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmove
                                                                              • String ID: &'
                                                                              • API String ID: 3529519853-655172784
                                                                              • Opcode ID: 4d36d6fc7e88fc0011999330c58d746eb2adf1614ffea44e4b98b846c3de09f5
                                                                              • Instruction ID: 56698d1ddf281eb29a71f0338dd0ffdf20a3849502ba3fa808bb2ee6bca0da0b
                                                                              • Opcode Fuzzy Hash: 4d36d6fc7e88fc0011999330c58d746eb2adf1614ffea44e4b98b846c3de09f5
                                                                              • Instruction Fuzzy Hash: 50616E71D00609DFDF24EFA4C941AEDFBB6EF44710F1481AAD515AB280EB70AA45CF61
                                                                              Function 0040602F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 00406043
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: Info
                                                                              • String ID: $
                                                                              • API String ID: 1807457897-3032137957
                                                                              • Opcode ID: 4125000c220d58311b25746a099467f0aeb8d9ceb46d36609f93bdf2855c5de6
                                                                              • Instruction ID: 6f3342e17374a5810591d20bb46fecf62595c420ec24c73dd14930592398f9d2
                                                                              • Opcode Fuzzy Hash: 4125000c220d58311b25746a099467f0aeb8d9ceb46d36609f93bdf2855c5de6
                                                                              • Instruction Fuzzy Hash: 70410731004258AEEB219718DD99BFB7FD9DB02704F1501F6D54AFB1D3C23949648BAA
                                                                              Function 02BD9660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02BD83CA,?,?,00000000), ref: 02BD96C7
                                                                              • getsockname.WS2_32(?,?,?), ref: 02BD96DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastgetsockname
                                                                              • String ID: &'
                                                                              • API String ID: 566540725-655172784
                                                                              • Opcode ID: 9ca7174d38f6d19b7d16f427a553d81ba93e932ca49d9520bd43c096fd9433e4
                                                                              • Instruction ID: 23b4c47759ec37fdf20ffa37a23e464c8620ceb0343a5cd5b44de4ca55e6171d
                                                                              • Opcode Fuzzy Hash: 9ca7174d38f6d19b7d16f427a553d81ba93e932ca49d9520bd43c096fd9433e4
                                                                              • Instruction Fuzzy Hash: B3213176A002489BDB10DFA8D844ACEB7F5FF48324F1185AAE919EB280E770A9458B54
                                                                              Function 02BDCCA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BDCCAB
                                                                                • Part of subcall function 02BDD287: std::exception::exception.LIBCMT ref: 02BDD2B6
                                                                                • Part of subcall function 02BDDA3D: __EH_prolog.LIBCMT ref: 02BDDA42
                                                                                • Part of subcall function 02BE3B4C: _malloc.LIBCMT ref: 02BE3B64
                                                                                • Part of subcall function 02BDD2E6: __EH_prolog.LIBCMT ref: 02BDD2EB
                                                                              Strings
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BDCCE8
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02BDCCE1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                              • API String ID: 1953324306-1943798000
                                                                              • Opcode ID: 7d8e30b3a6e95e99b6daa1e253e18660cebf2f49b5bf296279628883ba48c711
                                                                              • Instruction ID: 9382d2b93b7294d9e0172973096e648f8a18a8ae58f270ccc4f48fc7cdf6f122
                                                                              • Opcode Fuzzy Hash: 7d8e30b3a6e95e99b6daa1e253e18660cebf2f49b5bf296279628883ba48c711
                                                                              • Instruction Fuzzy Hash: 16216D72E002459ADF18EFA8D954BEEBBB5EF54700F0445DDE946A7280EB70AA08CB51
                                                                              Function 02BD534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02BD535D
                                                                                • Part of subcall function 02BE2FAC: __FF_MSGBANNER.LIBCMT ref: 02BE2FC3
                                                                                • Part of subcall function 02BE2FAC: __NMSG_WRITE.LIBCMT ref: 02BE2FCA
                                                                                • Part of subcall function 02BE2FAC: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 02BE2FEF
                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02BD536F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                              • String ID: \save.dat
                                                                              • API String ID: 4128168839-3580179773
                                                                              • Opcode ID: b6085d3c1221b5890da9b011f806dcd2bb361bf43c129d2b5a6e3750313a19ca
                                                                              • Instruction ID: 49e27e8ce5049e457d7a84efaf0fafdd4e22ffa7c28cd1e08d791dc4a9b0b49f
                                                                              • Opcode Fuzzy Hash: b6085d3c1221b5890da9b011f806dcd2bb361bf43c129d2b5a6e3750313a19ca
                                                                              • Instruction Fuzzy Hash: 6C1190729042042BDB318E258C80DAFFF6BDF83660B1141ECE84667201EBA20D06C7A0
                                                                              Function 02BD3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD396A
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02BD39C1
                                                                                • Part of subcall function 02BD1410: std::exception::exception.LIBCMT ref: 02BD1428
                                                                                • Part of subcall function 02BDA615: __EH_prolog.LIBCMT ref: 02BDA61A
                                                                                • Part of subcall function 02BDA615: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BDA629
                                                                                • Part of subcall function 02BDA615: __CxxThrowException@8.LIBCMT ref: 02BDA648
                                                                              Strings
                                                                              • Day of month is not valid for year, xrefs: 02BD39AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month is not valid for year
                                                                              • API String ID: 1404951899-1521898139
                                                                              • Opcode ID: 59b25543392b1b5ed157b44f753217a6d40ab552f00cc5b2838fff0eab04dc63
                                                                              • Instruction ID: e259300843cfd4b39f54806f1c2154a6fd30f109cb24a3c03318a5290005d60b
                                                                              • Opcode Fuzzy Hash: 59b25543392b1b5ed157b44f753217a6d40ab552f00cc5b2838fff0eab04dc63
                                                                              • Instruction Fuzzy Hash: FB01B17A920209AADF04EFA8D801AEEBB79FF18710F40449AED0593200FB704B45DBA5
                                                                              Function 02BDB0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02BDFB0E
                                                                              • __CxxThrowException@8.LIBCMT ref: 02BDFB23
                                                                                • Part of subcall function 02BE3B4C: _malloc.LIBCMT ref: 02BE3B64
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 4063778783-2104205924
                                                                              • Opcode ID: 7c1a7745f1401fd8ed7a5b953d6c771c04a70f0ae6086fb3b55fd5f8e4a4ae96
                                                                              • Instruction ID: 0b7229490915d4726b4a91aa81ea23203aa67b319b9a9866271c8254df23ac9b
                                                                              • Opcode Fuzzy Hash: 7c1a7745f1401fd8ed7a5b953d6c771c04a70f0ae6086fb3b55fd5f8e4a4ae96
                                                                              • Instruction Fuzzy Hash: BFF02770A0030D679F04EAA888459FF73FCEF04744F4005E9EA22E7680FF70EA448694
                                                                              Function 02BD3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD3C1B
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02BD3C30
                                                                                • Part of subcall function 02BE24B7: std::exception::exception.LIBCMT ref: 02BE24C1
                                                                                • Part of subcall function 02BDA64E: __EH_prolog.LIBCMT ref: 02BDA653
                                                                                • Part of subcall function 02BDA64E: __CxxThrowException@8.LIBCMT ref: 02BDA67C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: d04aaccbc1238e632340015d68753c88a8e3dae1d2077059c287d320e3518a18
                                                                              • Instruction ID: 554b9747c0f084434bde87ea537baed407f93efd50de367beaa1f1bf2edab323
                                                                              • Opcode Fuzzy Hash: d04aaccbc1238e632340015d68753c88a8e3dae1d2077059c287d320e3518a18
                                                                              • Instruction Fuzzy Hash: B0F0E536900108CBCB19DF58D850AEAB7B9EF51311F1040EEEE075B251DBB29A4ACF91
                                                                              Function 02BD3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD3886
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02BD38A5
                                                                                • Part of subcall function 02BD1410: std::exception::exception.LIBCMT ref: 02BD1428
                                                                                • Part of subcall function 02BD8983: _memmove.LIBCMT ref: 02BD89A3
                                                                              Strings
                                                                              • Day of month value is out of range 1..31, xrefs: 02BD3894
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month value is out of range 1..31
                                                                              • API String ID: 3258419250-1361117730
                                                                              • Opcode ID: b94464c73b7d26029e728386c59572fb3b51ddc206eb2b9a8fc034572a5f4cd1
                                                                              • Instruction ID: 10444475727a4ce67b0805ff6ad7d5a839be61ed6e48fc3659035f1d9ec2c872
                                                                              • Opcode Fuzzy Hash: b94464c73b7d26029e728386c59572fb3b51ddc206eb2b9a8fc034572a5f4cd1
                                                                              • Instruction Fuzzy Hash: 27E0D872F1010457D728ABD88C11BEDB7B9DB08B10F4405CAE90263680EAB11948CFD1
                                                                              Function 02BD38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD38D2
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02BD38F1
                                                                                • Part of subcall function 02BD1410: std::exception::exception.LIBCMT ref: 02BD1428
                                                                                • Part of subcall function 02BD8983: _memmove.LIBCMT ref: 02BD89A3
                                                                              Strings
                                                                              • Year is out of valid range: 1400..10000, xrefs: 02BD38E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                              • API String ID: 3258419250-2344417016
                                                                              • Opcode ID: aca954daf0c46c5f481d7aa06304e986557f625f641205435d256d73aca29d83
                                                                              • Instruction ID: 4857505e76df98862342f2180ae941ece465fc21c162de11ba7c15d475c4bc11
                                                                              • Opcode Fuzzy Hash: aca954daf0c46c5f481d7aa06304e986557f625f641205435d256d73aca29d83
                                                                              • Instruction Fuzzy Hash: B9E0D872F101045BD728EBD88C117EDB7B9DB08710F0405CAEA02636C0EAB11948CFD1
                                                                              Function 02BD3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD391E
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02BD393D
                                                                                • Part of subcall function 02BD1410: std::exception::exception.LIBCMT ref: 02BD1428
                                                                                • Part of subcall function 02BD8983: _memmove.LIBCMT ref: 02BD89A3
                                                                              Strings
                                                                              • Month number is out of range 1..12, xrefs: 02BD392C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Month number is out of range 1..12
                                                                              • API String ID: 3258419250-4198407886
                                                                              • Opcode ID: 69040fa9389758ccb6e07af1bd322f3b3ba4004011881e8db715e7c4619ae30b
                                                                              • Instruction ID: bba09b1465b33ce7e043f44c3e8971162aaa6c99409ea03cd57286556390fccb
                                                                              • Opcode Fuzzy Hash: 69040fa9389758ccb6e07af1bd322f3b3ba4004011881e8db715e7c4619ae30b
                                                                              • Instruction Fuzzy Hash: 0EE0D873E1010497D728BBD8CC117EDB7B9DB08710F0405CAE90263680EAF11948CFD5
                                                                              Function 02BD19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32 ref: 02BD19CC
                                                                              • GetLastError.KERNEL32 ref: 02BD19D9
                                                                                • Part of subcall function 02BD1712: __EH_prolog.LIBCMT ref: 02BD1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocErrorH_prologLast
                                                                              • String ID: tss
                                                                              • API String ID: 249634027-1638339373
                                                                              • Opcode ID: 732dd0cc5b288e65887ff24655d7eb56cb0abb9afbfe8fbbb3bb2a8c9f578697
                                                                              • Instruction ID: 4f92708d2836fc38499774c52c4c4480a286a3a383de1f5a4d440e3ecd31eb08
                                                                              • Opcode Fuzzy Hash: 732dd0cc5b288e65887ff24655d7eb56cb0abb9afbfe8fbbb3bb2a8c9f578697
                                                                              • Instruction Fuzzy Hash: F7E08632D242145BC3007B78D80808BFBA49F45274F108BE6EEAD936D0FF7049549BC2
                                                                              Function 02BD3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02BD3BD8
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02BD3BED
                                                                                • Part of subcall function 02BE24B7: std::exception::exception.LIBCMT ref: 02BE24C1
                                                                                • Part of subcall function 02BDA64E: __EH_prolog.LIBCMT ref: 02BDA653
                                                                                • Part of subcall function 02BDA64E: __CxxThrowException@8.LIBCMT ref: 02BDA67C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2945804076.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_2bd1000_dpfreevideoconverter3264.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 6ec522d73ebd116686ce92955bd4e33f6800379a818ecfffb54d8d8b75425246
                                                                              • Instruction ID: 9ad9da2765764799848dfe1c257dfc223c308766423cfe718197bf6b7e7b0324
                                                                              • Opcode Fuzzy Hash: 6ec522d73ebd116686ce92955bd4e33f6800379a818ecfffb54d8d8b75425246
                                                                              • Instruction Fuzzy Hash: 29E01A75900109DBC718EF58D551BA9BBB5EF14300F4080E9AE0757690DB755A4ACF81
                                                                              Function 00404A70 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404A98
                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404ACC
                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AE6
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AFD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2944750384.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.2944750384.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_dpfreevideoconverter3264.jbxd
                                                                              Similarity
                                                                              • API ID: AllocHeap$FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 3499195154-0
                                                                              • Opcode ID: ce4ada8b902dfebd710317009954046d05cbabe247724abee2a5f00560661e15
                                                                              • Instruction ID: dc67fb346d5d76982e704de85eb446c967f6762947f7574792f270977e83cdee
                                                                              • Opcode Fuzzy Hash: ce4ada8b902dfebd710317009954046d05cbabe247724abee2a5f00560661e15
                                                                              • Instruction Fuzzy Hash: 641113B0201702EFC7209F69EE85A227BB5FB857217114A3AE692E65F1D770A845CB48