Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hAyQbTcI0I.exe

Overview

General Information

Sample name:hAyQbTcI0I.exe
renamed because original name is a hash value
Original sample name:08b4f4533262033c2a77f079c9c72949.exe
Analysis ID:1540829
MD5:08b4f4533262033c2a77f079c9c72949
SHA1:4f82986f1c055d475374b4f6168f7a7bcdcfe50a
SHA256:5b9c4eb3b57004c472245f3483fe5065f47b992543ff0d7ce3aaf100ab59088f
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hAyQbTcI0I.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\hAyQbTcI0I.exe" MD5: 08B4F4533262033C2A77F079C9C72949)
    • hAyQbTcI0I.tmp (PID: 7604 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe" MD5: 161D763BD5AAFAFDDA6E2D06CC832D98)
      • dpfreevideoconverter3264.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i MD5: EE5ECF7045884A8234C995C6D38B7A90)
  • svchost.exe (PID: 7944 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["csvskfe.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.2601753399.0000000002C27000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: dpfreevideoconverter3264.exe PID: 7644JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        Sigma detected: Use Short Name Path in Command Line
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp, ParentCommandLine: "C:\Users\user\Desktop\hAyQbTcI0I.exe", ParentImage: C:\Users\user\Desktop\hAyQbTcI0I.exe, ParentProcessId: 7544, ParentProcessName: hAyQbTcI0I.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe" , ProcessId: 7604, ProcessName: hAyQbTcI0I.tmp
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 7944, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-24T08:39:09.105457+020020494671A Network Trojan was detected192.168.2.749970185.208.158.20280TCP
        2024-10-24T08:39:10.283560+020020494671A Network Trojan was detected192.168.2.749971185.208.158.20280TCP
        2024-10-24T08:39:13.460462+020020494671A Network Trojan was detected192.168.2.749971185.208.158.20280TCP
        2024-10-24T08:39:14.210486+020020494671A Network Trojan was detected192.168.2.749971185.208.158.20280TCP
        2024-10-24T08:39:14.625507+020020494671A Network Trojan was detected192.168.2.749971185.208.158.20280TCP
        2024-10-24T08:39:15.674388+020020494671A Network Trojan was detected192.168.2.749975185.208.158.20280TCP
        2024-10-24T08:39:16.094026+020020494671A Network Trojan was detected192.168.2.749975185.208.158.20280TCP
        2024-10-24T08:39:17.116086+020020494671A Network Trojan was detected192.168.2.749976185.208.158.20280TCP
        2024-10-24T08:39:17.533506+020020494671A Network Trojan was detected192.168.2.749976185.208.158.20280TCP
        2024-10-24T08:39:18.551736+020020494671A Network Trojan was detected192.168.2.749977185.208.158.20280TCP
        2024-10-24T08:39:19.646253+020020494671A Network Trojan was detected192.168.2.749978185.208.158.20280TCP
        2024-10-24T08:39:20.059357+020020494671A Network Trojan was detected192.168.2.749978185.208.158.20280TCP
        2024-10-24T08:39:21.104643+020020494671A Network Trojan was detected192.168.2.749979185.208.158.20280TCP
        2024-10-24T08:39:22.223645+020020494671A Network Trojan was detected192.168.2.749980185.208.158.20280TCP
        2024-10-24T08:39:23.251107+020020494671A Network Trojan was detected192.168.2.749981185.208.158.20280TCP
        2024-10-24T08:39:24.294266+020020494671A Network Trojan was detected192.168.2.749982185.208.158.20280TCP
        2024-10-24T08:39:25.499957+020020494671A Network Trojan was detected192.168.2.749983185.208.158.20280TCP
        2024-10-24T08:39:26.530984+020020494671A Network Trojan was detected192.168.2.749984185.208.158.20280TCP
        2024-10-24T08:39:27.560438+020020494671A Network Trojan was detected192.168.2.749985185.208.158.20280TCP
        2024-10-24T08:39:28.600804+020020494671A Network Trojan was detected192.168.2.749986185.208.158.20280TCP
        2024-10-24T08:39:29.013830+020020494671A Network Trojan was detected192.168.2.749986185.208.158.20280TCP
        2024-10-24T08:39:30.048086+020020494671A Network Trojan was detected192.168.2.749987185.208.158.20280TCP
        2024-10-24T08:39:31.240002+020020494671A Network Trojan was detected192.168.2.749988185.208.158.20280TCP
        2024-10-24T08:39:31.654941+020020494671A Network Trojan was detected192.168.2.749988185.208.158.20280TCP
        2024-10-24T08:39:32.677317+020020494671A Network Trojan was detected192.168.2.749989185.208.158.20280TCP
        2024-10-24T08:39:33.087927+020020494671A Network Trojan was detected192.168.2.749989185.208.158.20280TCP
        2024-10-24T08:39:34.181833+020020494671A Network Trojan was detected192.168.2.749990185.208.158.20280TCP
        2024-10-24T08:39:35.217851+020020494671A Network Trojan was detected192.168.2.749991185.208.158.20280TCP
        2024-10-24T08:39:36.252864+020020494671A Network Trojan was detected192.168.2.749992185.208.158.20280TCP
        2024-10-24T08:39:37.434274+020020494671A Network Trojan was detected192.168.2.749993185.208.158.20280TCP
        2024-10-24T08:39:38.474946+020020494671A Network Trojan was detected192.168.2.749994185.208.158.20280TCP
        2024-10-24T08:39:38.889122+020020494671A Network Trojan was detected192.168.2.749994185.208.158.20280TCP
        2024-10-24T08:39:40.059236+020020494671A Network Trojan was detected192.168.2.749995185.208.158.20280TCP
        2024-10-24T08:39:41.104698+020020494671A Network Trojan was detected192.168.2.749996185.208.158.20280TCP
        2024-10-24T08:39:41.531111+020020494671A Network Trojan was detected192.168.2.749996185.208.158.20280TCP
        2024-10-24T08:39:42.730130+020020494671A Network Trojan was detected192.168.2.749997185.208.158.20280TCP
        2024-10-24T08:39:43.886916+020020494671A Network Trojan was detected192.168.2.749998185.208.158.20280TCP
        2024-10-24T08:39:44.931629+020020494671A Network Trojan was detected192.168.2.749999185.208.158.20280TCP
        2024-10-24T08:39:45.350574+020020494671A Network Trojan was detected192.168.2.749999185.208.158.20280TCP
        2024-10-24T08:39:46.587156+020020494671A Network Trojan was detected192.168.2.750000185.208.158.20280TCP
        2024-10-24T08:39:46.994428+020020494671A Network Trojan was detected192.168.2.750000185.208.158.20280TCP
        2024-10-24T08:39:47.413255+020020494671A Network Trojan was detected192.168.2.750000185.208.158.20280TCP
        2024-10-24T08:39:47.827263+020020494671A Network Trojan was detected192.168.2.750000185.208.158.20280TCP
        2024-10-24T08:39:48.847390+020020494671A Network Trojan was detected192.168.2.750001185.208.158.20280TCP
        2024-10-24T08:39:50.003155+020020494671A Network Trojan was detected192.168.2.750002185.208.158.20280TCP
        2024-10-24T08:39:51.031996+020020494671A Network Trojan was detected192.168.2.750003185.208.158.20280TCP
        2024-10-24T08:39:52.074017+020020494671A Network Trojan was detected192.168.2.750004185.208.158.20280TCP
        2024-10-24T08:39:53.173299+020020494671A Network Trojan was detected192.168.2.750005185.208.158.20280TCP
        2024-10-24T08:39:54.204248+020020494671A Network Trojan was detected192.168.2.750006185.208.158.20280TCP
        2024-10-24T08:39:55.244055+020020494671A Network Trojan was detected192.168.2.750007185.208.158.20280TCP
        2024-10-24T08:39:55.654276+020020494671A Network Trojan was detected192.168.2.750007185.208.158.20280TCP
        2024-10-24T08:39:56.694822+020020494671A Network Trojan was detected192.168.2.750008185.208.158.20280TCP
        2024-10-24T08:39:57.108054+020020494671A Network Trojan was detected192.168.2.750008185.208.158.20280TCP
        2024-10-24T08:39:58.148476+020020494671A Network Trojan was detected192.168.2.750009185.208.158.20280TCP
        2024-10-24T08:39:58.557709+020020494671A Network Trojan was detected192.168.2.750009185.208.158.20280TCP
        2024-10-24T08:39:58.965649+020020494671A Network Trojan was detected192.168.2.750009185.208.158.20280TCP
        2024-10-24T08:40:00.019052+020020494671A Network Trojan was detected192.168.2.750010185.208.158.20280TCP
        2024-10-24T08:40:01.047550+020020494671A Network Trojan was detected192.168.2.750011185.208.158.20280TCP
        2024-10-24T08:40:02.091518+020020494671A Network Trojan was detected192.168.2.750012185.208.158.20280TCP
        2024-10-24T08:40:03.251070+020020494671A Network Trojan was detected192.168.2.750013185.208.158.20280TCP
        2024-10-24T08:40:04.299491+020020494671A Network Trojan was detected192.168.2.750014185.208.158.20280TCP
        2024-10-24T08:40:05.325764+020020494671A Network Trojan was detected192.168.2.750015185.208.158.20280TCP
        2024-10-24T08:40:06.374572+020020494671A Network Trojan was detected192.168.2.750016185.208.158.20280TCP
        2024-10-24T08:40:07.403667+020020494671A Network Trojan was detected192.168.2.750017185.208.158.20280TCP
        2024-10-24T08:40:08.434228+020020494671A Network Trojan was detected192.168.2.750018185.208.158.20280TCP
        2024-10-24T08:40:09.464187+020020494671A Network Trojan was detected192.168.2.750019185.208.158.20280TCP
        2024-10-24T08:40:10.561628+020020494671A Network Trojan was detected192.168.2.750020185.208.158.20280TCP
        2024-10-24T08:40:11.582435+020020494671A Network Trojan was detected192.168.2.750021185.208.158.20280TCP
        2024-10-24T08:40:12.630483+020020494671A Network Trojan was detected192.168.2.750022185.208.158.20280TCP
        2024-10-24T08:40:13.674515+020020494671A Network Trojan was detected192.168.2.750023185.208.158.20280TCP
        2024-10-24T08:40:14.697202+020020494671A Network Trojan was detected192.168.2.750024185.208.158.20280TCP
        2024-10-24T08:40:15.750947+020020494671A Network Trojan was detected192.168.2.750025185.208.158.20280TCP
        2024-10-24T08:40:16.791816+020020494671A Network Trojan was detected192.168.2.750026185.208.158.20280TCP
        2024-10-24T08:40:17.833952+020020494671A Network Trojan was detected192.168.2.750029185.208.158.20280TCP
        2024-10-24T08:40:18.851043+020020494671A Network Trojan was detected192.168.2.750030185.208.158.20280TCP
        2024-10-24T08:40:19.911339+020020494671A Network Trojan was detected192.168.2.750031185.208.158.20280TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: hAyQbTcI0I.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeAvira: detection malicious, Label: HEUR/AGEN.1314739
        Source: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeAvira: detection malicious, Label: HEUR/AGEN.1314739
        Found malware configuration
        Source: dpfreevideoconverter3264.exe.7644.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["csvskfe.net"]}
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeReversingLabs: Detection: 34%
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeReversingLabs: Detection: 34%
        Multi AV Scanner detection for submitted file
        Source: hAyQbTcI0I.exeReversingLabs: Detection: 23%
        Source: hAyQbTcI0I.exeVirustotal: Detection: 12%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045A4FC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045A4FC
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045A5C8 ArcFourCrypt,2_2_0045A5C8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045A5B0 ArcFourCrypt,2_2_0045A5B0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 3.2.dpfreevideoconverter3264.exe.400000.0.unpack
        Source: hAyQbTcI0I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047819C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,2_2_0047819C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0046E788 FindFirstFileA,FindNextFileA,FindClose,2_2_0046E788
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045105C FindFirstFileA,GetLastError,2_2_0045105C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004760AC FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,2_2_004760AC
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045EB08 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0045EB08
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045EF84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0045EF84
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0048F0A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_0048F0A0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045D584 FindFirstFileA,FindNextFileA,FindClose,2_2_0045D584
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppDataJump to behavior

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49994 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50008 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49977 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49986 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49992 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49996 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50000 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49971 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49979 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50007 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49990 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49993 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49981 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50001 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49989 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49978 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49982 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50003 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49999 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49970 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49991 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49976 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50014 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49975 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50004 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50002 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50018 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49983 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49995 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50012 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50025 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49980 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49997 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49988 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50005 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49998 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49984 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50011 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50021 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49985 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50010 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50017 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50029 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50030 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50022 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50031 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50023 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50026 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50016 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50013 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50020 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50015 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50006 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50009 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50019 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:49987 -> 185.208.158.202:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.7:50024 -> 185.208.158.202:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: csvskfe.net
        Source: global trafficTCP traffic: 192.168.2.7:49973 -> 89.105.201.183:2023
        Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
        Source: Joe Sandbox ViewIP Address: 185.208.158.202 185.208.158.202
        Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /inventory/76561199007797490/730/2?l=english&count=2000 HTTP/1.1Referer: https://steamcommunity.com/profiles/76561199007797490/inventory/X-Requested-With: XMLHttpRequestX-Prototype-Version: 1.7Accept: text/javascript, text/html, application/xml, text/xml, */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheDNT: 1Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: steamcommunity.comConnection: close
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownUDP traffic detected without corresponding DNS query: 45.155.250.90
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CD72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,3_2_02CD72AB
        Source: global trafficHTTP traffic detected: GET /inventory/76561199007797490/730/2?l=english&count=2000 HTTP/1.1Referer: https://steamcommunity.com/profiles/76561199007797490/inventory/X-Requested-With: XMLHttpRequestX-Prototype-Version: 1.7Accept: text/javascript, text/html, application/xml, text/xml, */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheDNT: 1Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: steamcommunity.comConnection: close
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1Host: csvskfe.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: csvskfe.net
        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
        Source: dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.2
        Source: dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/sV
        Source: dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.000000000331F000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003314000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978
        Source: dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337309119.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000002.2600194129.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600536918.0000000002169000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1346454649.0000000000869000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600180185.000000000084E000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340161721.000000000217C000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340031274.0000000003110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-G27H3.tmp.2.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-MLRBP.tmp.2.drString found in binary or memory: http://tukaani.org/
        Source: is-MLRBP.tmp.2.drString found in binary or memory: http://tukaani.org/xz/
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337309119.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000002.2600194129.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600536918.0000000002169000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1346454649.0000000000869000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600180185.000000000084E000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340161721.000000000217C000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340031274.0000000003110000.00000004.00001000.00020000.00000000.sdmp, is-9LPV1.tmp.2.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: hAyQbTcI0I.tmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drString found in binary or memory: http://www.innosetup.com/
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drString found in binary or memory: http://www.remobjects.com/?ps
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drString found in binary or memory: http://www.remobjects.com/?psU
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
        Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0042ECCC NtdllDefWindowProc_A,2_2_0042ECCC
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00423B1C NtdllDefWindowProc_A,2_2_00423B1C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00412570 NtdllDefWindowProc_A,2_2_00412570
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00455074 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_00455074
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004718F0 NtdllDefWindowProc_A,2_2_004718F0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0042E6BC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E6BC
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00453978 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_00453978
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004082E80_2_004082E8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004620A82_2_004620A8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0046A2842_2_0046A284
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004349C02_2_004349C0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00478DF12_2_00478DF1
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004640C42_2_004640C4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004441002_2_00444100
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047E4E02_2_0047E4E0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004305642_2_00430564
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045876C2_2_0045876C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004447F82_2_004447F8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00444C042_2_00444C04
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00484EC02_2_00484EC0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0043D3E02_2_0043D3E0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045B5142_2_0045B514
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00443B582_2_00443B58
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0042FB082_2_0042FB08
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00433CBC2_2_00433CBC
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_00406C473_2_00406C47
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CEE24D3_2_02CEE24D
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CDF0713_2_02CDF071
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CEE6653_2_02CEE665
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CF54603_2_02CF5460
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CE85033_2_02CE8503
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CF4EE93_2_02CF4EE9
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CF2E743_2_02CF2E74
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CE9F443_2_02CE9F44
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CEACFA3_2_02CEACFA
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CEDD593_2_02CEDD59
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02D0BF783_2_02D0BF78
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02D0BF293_2_02D0BF29
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02D0B4E53_2_02D0B4E5
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmp 513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00405964 appears 100 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00445734 appears 58 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00403400 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00406A1C appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00407884 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00408B9C appears 44 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00445464 appears 44 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00433BD4 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00403494 appears 83 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 004559F0 appears 65 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00451940 appears 70 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 00403684 appears 203 times
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: String function: 004557F0 appears 95 times
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: String function: 02CE8BA0 appears 37 times
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: String function: 02CF53F0 appears 138 times
        Source: hAyQbTcI0I.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: hAyQbTcI0I.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: hAyQbTcI0I.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: hAyQbTcI0I.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-6073S.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-6073S.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: is-6073S.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-6073S.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-G27H3.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-4O0LJ.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-9LPV1.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-NED7E.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-L5N62.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-PPNQF.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-2N4MA.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-KGN1A.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-NOUEU.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-MLRBP.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-TFBPF.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs hAyQbTcI0I.exe
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename! vs hAyQbTcI0I.exe
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs hAyQbTcI0I.exe
        Source: hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename! vs hAyQbTcI0I.exe
        Source: hAyQbTcI0I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/69@2/3
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CE08C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02CE08C0
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00453978 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_00453978
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004541A0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_004541A0
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CloseServiceHandle,CreateServiceA,3_2_0040288A
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00454624 CoCreateInstance,CoCreateInstance,SysFreeString,2_2_00454624
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00409A00 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409A00
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_004025AA StartServiceCtrlDispatcherA,3_2_004025AA
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_004025AA StartServiceCtrlDispatcherA,3_2_004025AA
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video ConverterJump to behavior
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: hAyQbTcI0I.exeReversingLabs: Detection: 23%
        Source: hAyQbTcI0I.exeVirustotal: Detection: 12%
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeFile read: C:\Users\user\Desktop\hAyQbTcI0I.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\hAyQbTcI0I.exe "C:\Users\user\Desktop\hAyQbTcI0I.exe"
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp "C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe "C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: hAyQbTcI0I.exeStatic file information: File size 4345372 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 3.2.dpfreevideoconverter3264.exe.400000.0.unpack .hreg4:EW;.ireg4:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeUnpacked PE file: 3.2.dpfreevideoconverter3264.exe.400000.0.unpack
        Source: is-KSDHT.tmp.2.drStatic PE information: 0x8C00008C [Mon Jun 6 07:19:40 2044 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00447B9C LoadLibraryExA,LoadLibraryA,GetProcAddress,2_2_00447B9C
        Source: initial sampleStatic PE information: section where entry point is pointing to: .hreg4
        Source: dpfreevideoconverter3264.exe.2.drStatic PE information: section name: .hreg4
        Source: dpfreevideoconverter3264.exe.2.drStatic PE information: section name: .ireg4
        Source: is-37I6M.tmp.2.drStatic PE information: section name: /4
        Source: is-4O0LJ.tmp.2.drStatic PE information: section name: /4
        Source: is-TFBPF.tmp.2.drStatic PE information: section name: /4
        Source: is-UUPB2.tmp.2.drStatic PE information: section name: /4
        Source: is-RNIQ6.tmp.2.drStatic PE information: section name: /4
        Source: is-ND6Q4.tmp.2.drStatic PE information: section name: /4
        Source: is-9LPV1.tmp.2.drStatic PE information: section name: /4
        Source: is-KSDHT.tmp.2.drStatic PE information: section name: /4
        Source: is-E9QJH.tmp.2.drStatic PE information: section name: /4
        Source: is-MLRBP.tmp.2.drStatic PE information: section name: /4
        Source: is-QIJO8.tmp.2.drStatic PE information: section name: /4
        Source: is-PPNQF.tmp.2.drStatic PE information: section name: /4
        Source: is-KPCIR.tmp.2.drStatic PE information: section name: /4
        Source: is-NOUEU.tmp.2.drStatic PE information: section name: /4
        Source: is-2N4MA.tmp.2.drStatic PE information: section name: /4
        Source: is-KGN1A.tmp.2.drStatic PE information: section name: /4
        Source: is-NED7E.tmp.2.drStatic PE information: section name: /4
        Source: is-LF8IA.tmp.2.drStatic PE information: section name: /4
        Source: is-L5N62.tmp.2.drStatic PE information: section name: /4
        Source: is-QM5QU.tmp.2.drStatic PE information: section name: /4
        Source: is-L3IUL.tmp.2.drStatic PE information: section name: /4
        Source: is-6HFPG.tmp.2.drStatic PE information: section name: /4
        Source: is-7TG8V.tmp.2.drStatic PE information: section name: /4
        Source: is-FBC4J.tmp.2.drStatic PE information: section name: /4
        Source: is-2VULV.tmp.2.drStatic PE information: section name: /4
        Source: is-G27H3.tmp.2.drStatic PE information: section name: /4
        Source: is-S2ODS.tmp.2.drStatic PE information: section name: /4
        Source: DP Free Video Converter 10.23.46.exe.3.drStatic PE information: section name: .hreg4
        Source: DP Free Video Converter 10.23.46.exe.3.drStatic PE information: section name: .ireg4
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00408D90 push 00408DC3h; ret 0_2_00408DBB
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax0_2_00407FE5
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004098DC push 00409919h; ret 2_2_00409911
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004062BC push ecx; mov dword ptr [esp], eax2_2_004062BD
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00430564 push ecx; mov dword ptr [esp], eax2_2_00430569
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00410668 push ecx; mov dword ptr [esp], edx2_2_0041066D
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004128C0 push 00412923h; ret 2_2_0041291B
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004508F8 push 0045092Bh; ret 2_2_00450923
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00442AD0 push ecx; mov dword ptr [esp], ecx2_2_00442AD4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00470C04 push ecx; mov dword ptr [esp], edx2_2_00470C05
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0040CFC0 push ecx; mov dword ptr [esp], edx2_2_0040CFC2
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045725C push 004572A0h; ret 2_2_00457298
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045B20C push ecx; mov dword ptr [esp], eax2_2_0045B211
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047D4C0 push ecx; mov dword ptr [esp], ecx2_2_0047D4C5
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0040F520 push ecx; mov dword ptr [esp], edx2_2_0040F522
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00455A8C push 00455AC4h; ret 2_2_00455ABC
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00419BC0 push ecx; mov dword ptr [esp], ecx2_2_00419BC5
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047BE6C push 0047BF4Ah; ret 2_2_0047BF42
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00409FD7 push ds; ret 2_2_00409FD8

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02CDF89A
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-7TG8V.tmpJump to dropped file
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeFile created: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-TFBPF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-L3IUL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-9LPV1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-PPNQF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-NOUEU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-2VULV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-KSDHT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-QIJO8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-S2ODS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-MLRBP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-RNIQ6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-6073S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile created: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-QM5QU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-E9QJH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-FBC4J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-UUPB2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-6HFPG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-G27H3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-ND6Q4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-KPCIR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-37I6M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-4O0LJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-NED7E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-L5N62.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-LF8IA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\DP Free Video Converter\is-KGN1A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile created: C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02CDF89A
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_004025AA StartServiceCtrlDispatcherA,3_2_004025AA
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00423BA4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423BA4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00423BA4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423BA4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00424174 IsIconic,SetActiveWindow,SetFocus,2_2_00424174
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0042412C IsIconic,SetActiveWindow,2_2_0042412C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0041831C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_0041831C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004227F4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_004227F4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00417530 IsIconic,GetCapture,2_2_00417530
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047B83C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_0047B83C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00417C66 IsIconic,SetWindowPos,2_2_00417C66
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00417C68 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417C68
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0044A9DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0044A9DC
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02CDF99E
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeWindow / User API: threadDelayed 3479Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeWindow / User API: threadDelayed 6397Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-7TG8V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-TFBPF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-L3IUL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-9LPV1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-PPNQF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-2VULV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-NOUEU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-KSDHT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-QIJO8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-S2ODS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-MLRBP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-RNIQ6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-6073S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-QM5QU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-E9QJH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-FBC4J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-UUPB2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-6HFPG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-G27H3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-ND6Q4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-KPCIR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-37I6M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-4O0LJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-NED7E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-L5N62.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-LF8IA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\DP Free Video Converter\is-KGN1A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5650
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-19838
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7648Thread sleep count: 3479 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7648Thread sleep time: -6958000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 8008Thread sleep count: 56 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 8008Thread sleep time: -3360000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7648Thread sleep count: 6397 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe TID: 7648Thread sleep time: -12794000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047819C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,2_2_0047819C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0046E788 FindFirstFileA,FindNextFileA,FindClose,2_2_0046E788
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045105C FindFirstFileA,GetLastError,2_2_0045105C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_004760AC FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,2_2_004760AC
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045EB08 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0045EB08
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045EF84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0045EF84
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0048F0A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_0048F0A0
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0045D584 FindFirstFileA,FindNextFileA,FindClose,2_2_0045D584
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00409944 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409944
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeAPI call chain: ExitProcess graph end nodegraph_0-6664
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeAPI call chain: ExitProcess graph end nodegraph_3-19839
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeAPI call chain: ExitProcess graph end nodegraph_3-22857
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CF01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02CF01BE
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CF01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02CF01BE
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00447B9C LoadLibraryExA,LoadLibraryA,GetProcAddress,2_2_00447B9C
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CD648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,3_2_02CD648B
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CE9528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02CE9528
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0047138C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_0047138C
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_0042DE9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042DE9C
        Source: C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exeCode function: 3_2_02CE806E cpuid 3_2_02CE806E
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: GetLocaleInfoA,0_2_0040515C
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: GetLocaleInfoA,0_2_004051A8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: GetLocaleInfoA,2_2_004084F8
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: GetLocaleInfoA,2_2_00408544
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00456538 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_00456538
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmpCode function: 2_2_00453930 GetUserNameA,2_2_00453930
        Source: C:\Users\user\Desktop\hAyQbTcI0I.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2601753399.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dpfreevideoconverter3264.exe PID: 7644, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2601753399.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dpfreevideoconverter3264.exe PID: 7644, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		4
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets141
        Security Software Discovery        		SSHKeylogging113
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync11
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem3
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        hAyQbTcI0I.exe24%ReversingLabs
        hAyQbTcI0I.exe12%VirustotalBrowse
        hAyQbTcI0I.exe100%AviraHEUR/AGEN.1332570

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe100%AviraHEUR/AGEN.1314739
        C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe100%AviraHEUR/AGEN.1314739
        C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe100%Joe Sandbox ML
        C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe100%Joe Sandbox ML
        C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe34%ReversingLabsWin32.Trojan.Generic
        C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe34%ReversingLabsWin32.Trojan.Generic
        C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-2VULV.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-37I6M.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-4O0LJ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-6HFPG.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-7TG8V.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-9LPV1.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-E9QJH.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-FBC4J.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-G27H3.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-KGN1A.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-KPCIR.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-KSDHT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-L3IUL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-L5N62.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-LF8IA.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-MLRBP.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-ND6Q4.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-NED7E.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-NOUEU.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-PPNQF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-QIJO8.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-QM5QU.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-RNIQ6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-S2ODS.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-TFBPF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\is-UUPB2.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-6073S.tmp3%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)3%ReversingLabs
        C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://fsf.org/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        steamcommunity.com
        		104.102.49.254
        		truefalse
          		unknown
          s-part-0017.t-0009.fb-t-msedge.net
          		13.107.253.45
          		truefalse
            		unknown
            csvskfe.net
            		185.208.158.202
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://csvskfe.net/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3ftrue
                		unknown
                http://csvskfe.net/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312true
                  		unknown
                  csvskfe.nettrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/hAyQbTcI0I.tmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://tukaani.org/is-MLRBP.tmp.2.drfalse
                      		unknown
                      http://185.208.158.202/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.000000000331F000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003314000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, dpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://tukaani.org/xz/is-MLRBP.tmp.2.drfalse
                          		unknown
                          http://mingw-w64.sourceforge.net/Xis-G27H3.tmp.2.drfalse
                            		unknown
                            http://185.2dpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003348000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.208.158.202/search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82ddpfreevideoconverter3264.exe, 00000003.00000002.2600247342.0000000000A54000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.remobjects.com/?pshAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drfalse
                                  		unknown
                                  http://185.208.158.202/sVdpfreevideoconverter3264.exe, 00000003.00000002.2602262918.0000000003348000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://fsf.org/hAyQbTcI0I.exe, 00000000.00000003.1337309119.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000002.2600194129.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600536918.0000000002169000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1346454649.0000000000869000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600180185.000000000084E000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340161721.000000000217C000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340031274.0000000003110000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.gnu.org/licenses/hAyQbTcI0I.exe, 00000000.00000003.1337309119.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000002.2600194129.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600536918.0000000002169000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1346454649.0000000000869000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2600180185.000000000084E000.00000004.00000020.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340161721.000000000217C000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000003.1340031274.0000000003110000.00000004.00001000.00020000.00000000.sdmp, is-9LPV1.tmp.2.drfalse
                                      		unknown
                                      http://www.remobjects.com/?psUhAyQbTcI0I.exe, 00000000.00000003.1337932678.00000000022B4000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.exe, 00000000.00000003.1337737042.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, hAyQbTcI0I.tmp, 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, hAyQbTcI0I.tmp.0.dr, is-6073S.tmp.2.drfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.102.49.254
                                        		steamcommunity.comUnited States
                                        		16625AKAMAI-ASUSfalse
                                        185.208.158.202
                                        		csvskfe.netSwitzerland
                                        		34888SIMPLECARRER2ITtrue
                                        89.105.201.183
                                        		unknownNetherlands
                                        		24875NOVOSERVE-ASNLfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1540829
                                        Start date and time:2024-10-24 08:37:07 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 55s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:10
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:hAyQbTcI0I.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:08b4f4533262033c2a77f079c9c72949.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@6/69@2/3
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 91%
                                        • Number of executed functions: 189
                                        • Number of non-executed functions: 234
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        02:38:49API Interceptor526341x Sleep call for process: dpfreevideoconverter3264.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                        • www.valvesoftware.com/legal.htm
                                        185.208.158.2021iGYsIphmN.exeGet hashmaliciousSocks5SystemzBrowse
                                          XettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                            7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                              r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                                NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                                  239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                    PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                      mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                        V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                          WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                            89.105.201.183N6jsQ3XNNX.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 200
                                                            cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 200

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            steamcommunity.comfile.exeGet hashmaliciousLummaC, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            s-part-0017.t-0009.fb-t-msedge.net68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
                                                            • 13.107.253.45
                                                            https://chiquitzinbb.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPWQxbDZOVGc9JnVpZD1VU0VSMTYxMDIwMjRVMTExMDE2NDc=N0123NGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                            • 13.107.253.45
                                                            https://fromsmash.com/8A4OM5kRFs-etGet hashmaliciousUnknownBrowse
                                                            • 13.107.253.45
                                                            Play_VM.Now.matt.sibilo_Audio.wav...v.htmlGet hashmaliciousHtmlDropperBrowse
                                                            • 13.107.253.45
                                                            https://s.id/closingdocview67111111Get hashmaliciousHTMLPhisherBrowse
                                                            • 13.107.253.45
                                                            Review_&_Aprove_Your_Next_Payroll39298.htmlGet hashmaliciousUnknownBrowse
                                                            • 13.107.253.45
                                                            PayrolNotificationBenefit_.htmlGet hashmaliciousMamba2FABrowse
                                                            • 13.107.253.45
                                                            https://www.pumpproducts.com/goulds-lb0735te-centrifugal-booster-pump-3-4-hp-208-230-460-volts-3-phase-1-1-4-npt-suction-1-npt-discharge-18-gpm-max-176-ft-max-head-5-impeller-tefc-stainless-steel-pump-end-casing.htmlGet hashmaliciousUnknownBrowse
                                                            • 13.107.253.45
                                                            https://boulos.pages.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 13.107.253.45
                                                            https://1drv.ms/o/c/fca0349b9dac3054/Egg4xW-gVZtFnFIBDYLqn3IBzvGvLdCTacUKBwENWO33dQ?e=nEqWJiGet hashmaliciousUnknownBrowse
                                                            • 13.107.253.45

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            SIMPLECARRER2IT1iGYsIphmN.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            XettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 185.208.158.202
                                                            AKAMAI-ASUSfile.exeGet hashmaliciousLummaC, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                            • 104.107.128.1
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.102.49.254
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                            • 104.102.49.254
                                                            https://www.ccleaner.com/Get hashmaliciousUnknownBrowse
                                                            • 2.19.225.128
                                                            NOVOSERVE-ASNL1iGYsIphmN.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 89.105.208.192
                                                            239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            r89xjCQs8A.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            bAmSLrOrem.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            MOf0GCHrzJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            ywqsUiCsOs.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            Yb6D4ggK6O.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183
                                                            b6f3325a89a735a16e5edfe56f8f8814251063d0d2ee6.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 89.105.201.183

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmp1iGYsIphmN.exeGet hashmaliciousSocks5SystemzBrowse
                                                              XettQ15qw4.exeGet hashmaliciousSocks5SystemzBrowse
                                                                7rBLc6cmJZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  r1LQ3TmnJT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    NebHwSvhee.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        PWT2xZ7185.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          mSQRCKjhxz.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            V2sD5e8M9n.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              WwlZEpBtps.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                Created / dropped Files

                                                                                C:\ProgramData\DP Free Video Converter 10.23.46\DP Free Video Converter 10.23.46.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2800128
                                                                                Entropy (8bit):6.5657797916626555
                                                                                Encrypted:false
                                                                                SSDEEP:24576:jwsTZLj0lxMBioYncI3LuuFN5X+yBubIy4rb1HaIrMkOLva7i2jLPwF6OKrnOgQk:BQ3vJiXkOu7ZfhGjvA2GUKoSE
                                                                                MD5:EE5ECF7045884A8234C995C6D38B7A90
                                                                                SHA1:8D238F0D5D1E80102401E294C7CFE4F297482D2E
                                                                                SHA-256:01CD6DF5A5B08123EA6A0CA47F998A5215635C062A002C9C7F056FDEF76843D8
                                                                                SHA-512:C68C3D07AEE6942F86A41C21612E16EF3DC9BB910ED60C9DEEDDDA3F3E7E95EC98D1E4989F38B02093348D64464459E00F22C5906C1B298058BF283AF902BADB
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 34%
                                                                                Reputation:low
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..H......."......."...@..........................P+......\+.....................................t.".@.....#..p............................................................................"..............................hreg4..z.".......".................`....ireg4..n<...."..>....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...H#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\dp1023it46.dat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8
                                                                                Entropy (8bit):2.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:+n:+n
                                                                                MD5:43AEBE4913448B6EE73AE75D5A8AB929
                                                                                SHA1:AE8940C1ED6BF3316ED8D9A5DCF69E1C735053B8
                                                                                SHA-256:C03BC22AD2EB5E8E6C99884737C7A2F618BCACA2B1F9622CAC976394AE709ABA
                                                                                SHA-512:D30030FC16C527F70BCB5A62B056E94F26A1C7D0B73FD58CFD76F7C82ABF6FD22B001D4211B39A1A3998ECB4C474E0E57E62B2F7B3CD961387A82A149AFC5D5A
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:...g....

                                                                                C:\ProgramData\dp1023rc46.dat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4
                                                                                Entropy (8bit):0.8112781244591328
                                                                                Encrypted:false
                                                                                SSDEEP:3:k:k
                                                                                MD5:A9D3C3F72A8AF78C3497847E11CA8C2F
                                                                                SHA1:0726FE07F58D10AEF41A74AF4E0EA2C608BA93E3
                                                                                SHA-256:6CB5A8EC7215303AF880F8BA134519B2C53A4B261CDB55A06FE64385E6FDC484
                                                                                SHA-512:FD6308771A601BC89C942557B17850404E8DED90678F48D49BA623F1EFFCFEC93BE704442E9E0213648FC23FE5659C9A6BD8E56757792F398941DAF7CD0824C0
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:I...

                                                                                C:\ProgramData\dp1023resa.dat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):128
                                                                                Entropy (8bit):2.9545817380615236
                                                                                Encrypted:false
                                                                                SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                C:\ProgramData\dp1023resb.dat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):128
                                                                                Entropy (8bit):1.7095628900165245
                                                                                Encrypted:false
                                                                                SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                                MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                                SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                                SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                                SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):2800128
                                                                                Entropy (8bit):6.5657797916626555
                                                                                Encrypted:false
                                                                                SSDEEP:24576:jwsTZLj0lxMBioYncI3LuuFN5X+yBubIy4rb1HaIrMkOLva7i2jLPwF6OKrnOgQk:BQ3vJiXkOu7ZfhGjvA2GUKoSE
                                                                                MD5:EE5ECF7045884A8234C995C6D38B7A90
                                                                                SHA1:8D238F0D5D1E80102401E294C7CFE4F297482D2E
                                                                                SHA-256:01CD6DF5A5B08123EA6A0CA47F998A5215635C062A002C9C7F056FDEF76843D8
                                                                                SHA-512:C68C3D07AEE6942F86A41C21612E16EF3DC9BB910ED60C9DEEDDDA3F3E7E95EC98D1E4989F38B02093348D64464459E00F22C5906C1B298058BF283AF902BADB
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 34%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..H......."......."...@..........................P+......\+.....................................t.".@.....#..p............................................................................"..............................hreg4..z.".......".................`....ireg4..n<...."..>....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...H#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-2N4MA.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):259014
                                                                                Entropy (8bit):6.075222655669795
                                                                                Encrypted:false
                                                                                SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: 1iGYsIphmN.exe, Detection: malicious, Browse
                                                                                • Filename: XettQ15qw4.exe, Detection: malicious, Browse
                                                                                • Filename: 7rBLc6cmJZ.exe, Detection: malicious, Browse
                                                                                • Filename: r1LQ3TmnJT.exe, Detection: malicious, Browse
                                                                                • Filename: NebHwSvhee.exe, Detection: malicious, Browse
                                                                                • Filename: 239c8b10775a00048df8eeccc1ad36394a86eb67934c8.exe, Detection: malicious, Browse
                                                                                • Filename: PWT2xZ7185.exe, Detection: malicious, Browse
                                                                                • Filename: mSQRCKjhxz.exe, Detection: malicious, Browse
                                                                                • Filename: V2sD5e8M9n.exe, Detection: malicious, Browse
                                                                                • Filename: WwlZEpBtps.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-2VULV.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):448557
                                                                                Entropy (8bit):6.353356595345232
                                                                                Encrypted:false
                                                                                SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                MD5:908111F583B7019D2ED3492435E5092D
                                                                                SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-37I6M.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):463112
                                                                                Entropy (8bit):6.363613724826455
                                                                                Encrypted:false
                                                                                SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-4O0LJ.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):26562
                                                                                Entropy (8bit):5.606958768500933
                                                                                Encrypted:false
                                                                                SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-6HFPG.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):248781
                                                                                Entropy (8bit):6.474165596279956
                                                                                Encrypted:false
                                                                                SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-7TG8V.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):248694
                                                                                Entropy (8bit):6.346971642353424
                                                                                Encrypted:false
                                                                                SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-9LPV1.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):140752
                                                                                Entropy (8bit):6.52778891175594
                                                                                Encrypted:false
                                                                                SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-E9QJH.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):397808
                                                                                Entropy (8bit):6.396146399966879
                                                                                Encrypted:false
                                                                                SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-FBC4J.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):30994
                                                                                Entropy (8bit):5.666281517516177
                                                                                Encrypted:false
                                                                                SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-G27H3.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):65181
                                                                                Entropy (8bit):6.085572761520829
                                                                                Encrypted:false
                                                                                SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-KGN1A.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):64724
                                                                                Entropy (8bit):5.910307743399971
                                                                                Encrypted:false
                                                                                SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-KPCIR.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):268404
                                                                                Entropy (8bit):6.265024248848175
                                                                                Encrypted:false
                                                                                SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-KSDHT.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):509934
                                                                                Entropy (8bit):6.031080686301204
                                                                                Encrypted:false
                                                                                SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-L3IUL.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):706136
                                                                                Entropy (8bit):6.517672165992715
                                                                                Encrypted:false
                                                                                SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-L5N62.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):101544
                                                                                Entropy (8bit):6.237382830377451
                                                                                Encrypted:false
                                                                                SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-LF8IA.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):165739
                                                                                Entropy (8bit):6.062324507479428
                                                                                Encrypted:false
                                                                                SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-MLRBP.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):171848
                                                                                Entropy (8bit):6.579154579239999
                                                                                Encrypted:false
                                                                                SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-ND6Q4.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):441975
                                                                                Entropy (8bit):6.372283713065844
                                                                                Encrypted:false
                                                                                SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-NED7E.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):92019
                                                                                Entropy (8bit):5.974787373427489
                                                                                Encrypted:false
                                                                                SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-NOUEU.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):181527
                                                                                Entropy (8bit):6.362061002967905
                                                                                Encrypted:false
                                                                                SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-PPNQF.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):814068
                                                                                Entropy (8bit):6.5113626552096
                                                                                Encrypted:false
                                                                                SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-QIJO8.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):121524
                                                                                Entropy (8bit):6.347995296737745
                                                                                Encrypted:false
                                                                                SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                MD5:6CE25FB0302F133CC244889C360A6541
                                                                                SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-QM5QU.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):291245
                                                                                Entropy (8bit):6.234245376773595
                                                                                Encrypted:false
                                                                                SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-RCC81.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2800128
                                                                                Entropy (8bit):6.565779484838268
                                                                                Encrypted:false
                                                                                SSDEEP:24576:ewsTZLj0lxMBioYncI3LuuFN5X+yBubIy4rb1HaIrMkOLva7i2jLPwF6OKrnOgQk:6Q3vJiXkOu7ZfhGjvA2GUKoSE
                                                                                MD5:5843C9CC7E6841A2E44D1A32A3904D0C
                                                                                SHA1:FCCC5E503D39DDC374F15CCB1FE846A6850A8B74
                                                                                SHA-256:07149AF925C55A2450E62F36A1D4242F187094593D8F4903E7CF5715EC20F02D
                                                                                SHA-512:E3107D2088A088F8795A33CC1A33AC3D72B72F797D169A56484AB7877945258838941BB9D31E53B7348CFD1805ACCB2BEBF88838D398110E4FD651A3F5B6806F
                                                                                Malicious:false
                                                                                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..H......."......."...@..........................P+......\+.....................................t.".@.....#..p............................................................................"..............................hreg4..z.".......".................`....ireg4..n<...."..>....".............@..@.data...8....0#..0....#.............@....rsrc....r....#..r...H#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-RNIQ6.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):235032
                                                                                Entropy (8bit):6.398850087061798
                                                                                Encrypted:false
                                                                                SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-S2ODS.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):98626
                                                                                Entropy (8bit):6.478068795827396
                                                                                Encrypted:false
                                                                                SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                MD5:70CA53E8B46464CCF956D157501D367A
                                                                                SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-TFBPF.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):337171
                                                                                Entropy (8bit):6.46334441651647
                                                                                Encrypted:false
                                                                                SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\is-UUPB2.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):174543
                                                                                Entropy (8bit):6.3532700320638025
                                                                                Encrypted:false
                                                                                SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgcc_s_dw2-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):121524
                                                                                Entropy (8bit):6.347995296737745
                                                                                Encrypted:false
                                                                                SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                MD5:6CE25FB0302F133CC244889C360A6541
                                                                                SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgdk-win32-2.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):814068
                                                                                Entropy (8bit):6.5113626552096
                                                                                Encrypted:false
                                                                                SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgdk_pixbuf-2.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):181527
                                                                                Entropy (8bit):6.362061002967905
                                                                                Encrypted:false
                                                                                SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgdkmm-2.4-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):268404
                                                                                Entropy (8bit):6.265024248848175
                                                                                Encrypted:false
                                                                                SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libglibmm-2.4-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):463112
                                                                                Entropy (8bit):6.363613724826455
                                                                                Encrypted:false
                                                                                SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgmodule-2.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):26562
                                                                                Entropy (8bit):5.606958768500933
                                                                                Encrypted:false
                                                                                SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgobject-2.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):337171
                                                                                Entropy (8bit):6.46334441651647
                                                                                Encrypted:false
                                                                                SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgomp-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):174543
                                                                                Entropy (8bit):6.3532700320638025
                                                                                Encrypted:false
                                                                                SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libgraphite2.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):235032
                                                                                Entropy (8bit):6.398850087061798
                                                                                Encrypted:false
                                                                                SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libharfbuzz-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):441975
                                                                                Entropy (8bit):6.372283713065844
                                                                                Encrypted:false
                                                                                SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libintl-8.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):140752
                                                                                Entropy (8bit):6.52778891175594
                                                                                Encrypted:false
                                                                                SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libjpeg-8.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):509934
                                                                                Entropy (8bit):6.031080686301204
                                                                                Encrypted:false
                                                                                SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\liblcms2-2.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):397808
                                                                                Entropy (8bit):6.396146399966879
                                                                                Encrypted:false
                                                                                SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\liblzma-5.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):171848
                                                                                Entropy (8bit):6.579154579239999
                                                                                Encrypted:false
                                                                                SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpango-1.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):259014
                                                                                Entropy (8bit):6.075222655669795
                                                                                Encrypted:false
                                                                                SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpangocairo-1.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):64724
                                                                                Entropy (8bit):5.910307743399971
                                                                                Encrypted:false
                                                                                SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpangoft2-1.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):92019
                                                                                Entropy (8bit):5.974787373427489
                                                                                Encrypted:false
                                                                                SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpangomm-1.4-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):165739
                                                                                Entropy (8bit):6.062324507479428
                                                                                Encrypted:false
                                                                                SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpangowin32-1.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):101544
                                                                                Entropy (8bit):6.237382830377451
                                                                                Encrypted:false
                                                                                SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpcre-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):291245
                                                                                Entropy (8bit):6.234245376773595
                                                                                Encrypted:false
                                                                                SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpixman-1-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):706136
                                                                                Entropy (8bit):6.517672165992715
                                                                                Encrypted:false
                                                                                SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libpng16-16.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):248781
                                                                                Entropy (8bit):6.474165596279956
                                                                                Encrypted:false
                                                                                SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\librsvg-2-2.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):248694
                                                                                Entropy (8bit):6.346971642353424
                                                                                Encrypted:false
                                                                                SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libsigc-2.0-0.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):30994
                                                                                Entropy (8bit):5.666281517516177
                                                                                Encrypted:false
                                                                                SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libtiff-5.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):448557
                                                                                Entropy (8bit):6.353356595345232
                                                                                Encrypted:false
                                                                                SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                MD5:908111F583B7019D2ED3492435E5092D
                                                                                SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\libwinpthread-1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):65181
                                                                                Entropy (8bit):6.085572761520829
                                                                                Encrypted:false
                                                                                SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\is-6073S.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):691481
                                                                                Entropy (8bit):6.478896070996252
                                                                                Encrypted:false
                                                                                SSDEEP:12288:bNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNgwnsjxGO:xuz2eVrPw7373zHEA6hQz4OWDjqSsjxX
                                                                                MD5:33AE70EF447B4665E4ED7026E7399AAD
                                                                                SHA1:B74318A98186EC991B9CE99383018C1B0C611C0B
                                                                                SHA-256:B874531D50F9C4012C6377FEC98E2EC292409CA1A220E3649A7D80877AD905AB
                                                                                SHA-512:ED42A7EF5254195E70D3AEBEE2FDFACC74E2754D14BF0E2D738D5CE293592C5684E33A844934A5996A391C7223E47AA07ECF4FE9C9217F137FB0058B8DDF99D8
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.dat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:InnoSetup Log DP Free Video Converter, version 0x30, 6087 bytes, 284992\user, "C:\Users\user\AppData\Local\DP Free Video Converter"
                                                                                Category:dropped
                                                                                Size (bytes):6087
                                                                                Entropy (8bit):4.885870492455539
                                                                                Encrypted:false
                                                                                SSDEEP:96:12WGT8Bpaow0/9sE+eOIhTeQEbaVHLbA3MvkTYMaDeAXW5xgi2OIdWxBSq:12WGTOpao0lHIhxXq
                                                                                MD5:E50E3C2259017CB565FA8688217A3301
                                                                                SHA1:E27841187E044C40E7D7DF22AF8900191A3D7029
                                                                                SHA-256:D66816E488C16245DEEFCAE37C6D09F8CAF85C564B877DF113A084EBED8A46B7
                                                                                SHA-512:8508C95F2DCE68C6BC43A0A0FB3CB43580E5AE61222CADFB07D9B03D00C3912EFE2244B4329A9A5A29E2C6BC8C97121D4A14EEF0A703642F453413829E7B3CE1
                                                                                Malicious:false
                                                                                Preview:Inno Setup Uninstall Log (b)....................................DP Free Video Converter.........................................................................................................DP Free Video Converter.........................................................................................................0...".......%............................................................................................................................9........\....284992.user8C:\Users\user\AppData\Local\DP Free Video Converter...........&...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%.

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\uninstall\unins000.exe (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):691481
                                                                                Entropy (8bit):6.478896070996252
                                                                                Encrypted:false
                                                                                SSDEEP:12288:bNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNgwnsjxGO:xuz2eVrPw7373zHEA6hQz4OWDjqSsjxX
                                                                                MD5:33AE70EF447B4665E4ED7026E7399AAD
                                                                                SHA1:B74318A98186EC991B9CE99383018C1B0C611C0B
                                                                                SHA-256:B874531D50F9C4012C6377FEC98E2EC292409CA1A220E3649A7D80877AD905AB
                                                                                SHA-512:ED42A7EF5254195E70D3AEBEE2FDFACC74E2754D14BF0E2D738D5CE293592C5684E33A844934A5996A391C7223E47AA07ECF4FE9C9217F137FB0058B8DDF99D8
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                                C:\Users\user\AppData\Local\DP Free Video Converter\zlib1.dll (copy)

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):98626
                                                                                Entropy (8bit):6.478068795827396
                                                                                Encrypted:false
                                                                                SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                MD5:70CA53E8B46464CCF956D157501D367A
                                                                                SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_RegDLL.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):3584
                                                                                Entropy (8bit):4.012434743866195
                                                                                Encrypted:false
                                                                                SSDEEP:48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD
                                                                                MD5:C594B792B9C556EA62A30DE541D2FB03
                                                                                SHA1:69E0207515E913243B94C2D3A116D232FF79AF5F
                                                                                SHA-256:5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E
                                                                                SHA-512:387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L.....%E..................................... ....@..........................@..............................................l ..P....0..8............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_iscrypt.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2560
                                                                                Entropy (8bit):2.8818118453929262
                                                                                Encrypted:false
                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_setup64.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):5632
                                                                                Entropy (8bit):4.203889009972449
                                                                                Encrypted:false
                                                                                SSDEEP:48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv
                                                                                MD5:B4604F8CD050D7933012AE4AA98E1796
                                                                                SHA1:36B7D966C7F87860CD6C46096B397AA23933DF8E
                                                                                SHA-256:B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5
                                                                                SHA-512:3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d......E..........#............................@.............................`..............................................................<!.......P..8....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...8....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\is-DSMCE.tmp\_isetup\_shfoldr.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):23312
                                                                                Entropy (8bit):4.596242908851566
                                                                                Encrypted:false
                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\hAyQbTcI0I.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):680960
                                                                                Entropy (8bit):6.470075680243964
                                                                                Encrypted:false
                                                                                SSDEEP:12288:zNuz2eB7rPw7373zHEA6Tcg1Qz4OXm9NrevRWNgwnsjxG:Juz2eVrPw7373zHEA6hQz4OWDjqSsjxG
                                                                                MD5:161D763BD5AAFAFDDA6E2D06CC832D98
                                                                                SHA1:380571E92161502823FD8B6BFD7F8EA88DD4B9F6
                                                                                SHA-256:E1DBAB9B76D63F18FA1927F709F033D2CC62C89AD3633ABBAFBD0D0A5F1A8F22
                                                                                SHA-512:3CC3B34BAD30FAFF783D77438F663F98F9D2D86E63D0581DD75313813570502820DF16BEE0E3AA07E80DC8F602B704A501E77951C1B21B410E5285A17B0911CD
                                                                                Malicious:true
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P...................@...........................0...%.......:...................................................p......................................................CODE....0........................... ..`DATA....l...........................@...BSS......................................idata...%...0...&..................@....tls.........`.......(...................rdata.......p.......(..............@..P.reloc..P............*..............@..P.rsrc....:.......:...*..............@..P.............P......................@..P........................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.998583885031342
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 97.43%
                                                                                • Win32 Executable PowerBASIC/Win 9.x (148305/79) 1.44%
                                                                                • Inno Setup installer (109748/4) 1.07%
                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                File name:hAyQbTcI0I.exe
                                                                                File size:4'345'372 bytes
                                                                                MD5:08b4f4533262033c2a77f079c9c72949
                                                                                SHA1:4f82986f1c055d475374b4f6168f7a7bcdcfe50a
                                                                                SHA256:5b9c4eb3b57004c472245f3483fe5065f47b992543ff0d7ce3aaf100ab59088f
                                                                                SHA512:fe3a012ac1deec8871550a2127810c5077ac8ad22503641073a10f99ac9791ea856fc331e123f0b11dcba3fbdf0d9ab56264a9287332ed7c9cdec26391096dce
                                                                                SSDEEP:98304:MjzaB5KUu8ppKNBqV7xv8f5+j720l8PQH2YO5VIuvuunu5+:CaqBEpKHq38fw32LvYw5fnu5+
                                                                                TLSH:DE16332ACAA33632F552BDB45E59B19B92093D1072BCD806B4FC4DEF4F2F5162045B1E
                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                File Icon

                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x409a54
                                                                                Entrypoint Section:CODE
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:1
                                                                                OS Version Minor:0
                                                                                File Version Major:1
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:1
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                add esp, FFFFFFC4h
                                                                                push ebx
                                                                                push esi
                                                                                push edi
                                                                                xor eax, eax
                                                                                mov dword ptr [ebp-10h], eax
                                                                                mov dword ptr [ebp-24h], eax
                                                                                call 00007F473CAD6D57h
                                                                                call 00007F473CAD7F5Eh
                                                                                call 00007F473CADA189h
                                                                                call 00007F473CADA1D0h
                                                                                call 00007F473CADC9F7h
                                                                                call 00007F473CADCB5Eh
                                                                                xor eax, eax
                                                                                push ebp
                                                                                push 0040A102h
                                                                                push dword ptr fs:[eax]
                                                                                mov dword ptr fs:[eax], esp
                                                                                xor edx, edx
                                                                                push ebp
                                                                                push 0040A0CBh
                                                                                push dword ptr fs:[edx]
                                                                                mov dword ptr fs:[edx], esp
                                                                                mov eax, dword ptr [0040C014h]
                                                                                call 00007F473CADD580h
                                                                                call 00007F473CADD0EBh
                                                                                lea edx, dword ptr [ebp-10h]
                                                                                xor eax, eax
                                                                                call 00007F473CADA795h
                                                                                mov edx, dword ptr [ebp-10h]
                                                                                mov eax, 0040CDE4h
                                                                                call 00007F473CAD6E08h
                                                                                push 00000002h
                                                                                push 00000000h
                                                                                push 00000001h
                                                                                mov ecx, dword ptr [0040CDE4h]
                                                                                mov dl, 01h
                                                                                mov eax, 004072A4h
                                                                                call 00007F473CADB000h
                                                                                mov dword ptr [0040CDE8h], eax
                                                                                xor edx, edx
                                                                                push ebp
                                                                                push 0040A083h
                                                                                push dword ptr fs:[edx]
                                                                                mov dword ptr fs:[edx], esp
                                                                                call 00007F473CADD5F0h
                                                                                mov dword ptr [0040CDF0h], eax
                                                                                mov eax, dword ptr [0040CDF0h]
                                                                                cmp dword ptr [eax+0Ch], 01h
                                                                                jne 00007F473CADD72Ah
                                                                                mov eax, dword ptr [0040CDF0h]
                                                                                mov edx, 00000028h
                                                                                call 00007F473CADB401h
                                                                                mov edx, dword ptr [0040CDF0h]
                                                                                cmp eax, dword ptr [edx+00h]

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2a00.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                CODE0x10000x916c0x9200f9c9dd3f4dceede0add0e7309253e897False0.6143247003424658data6.5647212410937765IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                DATA0xb0000x24c0x4004a56e30ca4646e6369d96abeacb0e6f0False0.306640625data2.7335120306674594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x110000x2a000x2a005c312f58cefb675fac54bbe001530affFalse0.32505580357142855data4.4237460228354255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                RT_STRING0x125740x2f2data0.35543766578249336
                                                                                RT_STRING0x128680x30cdata0.3871794871794872
                                                                                RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                RT_STRING0x12e440x68data0.75
                                                                                RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                RT_STRING0x12f600xaedata0.5344827586206896
                                                                                RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                RT_VERSION0x1307c0x3ccdataEnglishUnited States0.32407407407407407
                                                                                RT_MANIFEST0x134480x47eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4330434782608696

                                                                                Imports

                                                                                DLLImport
                                                                                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                user32.dllMessageBoxA
                                                                                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                comctl32.dllInitCommonControls
                                                                                advapi32.dllAdjustTokenPrivileges

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                DutchNetherlands
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-10-24T08:39:09.105457+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749970185.208.158.20280TCP
                                                                                2024-10-24T08:39:10.283560+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749971185.208.158.20280TCP
                                                                                2024-10-24T08:39:13.460462+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749971185.208.158.20280TCP
                                                                                2024-10-24T08:39:14.210486+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749971185.208.158.20280TCP
                                                                                2024-10-24T08:39:14.625507+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749971185.208.158.20280TCP
                                                                                2024-10-24T08:39:15.674388+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749975185.208.158.20280TCP
                                                                                2024-10-24T08:39:16.094026+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749975185.208.158.20280TCP
                                                                                2024-10-24T08:39:17.116086+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749976185.208.158.20280TCP
                                                                                2024-10-24T08:39:17.533506+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749976185.208.158.20280TCP
                                                                                2024-10-24T08:39:18.551736+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749977185.208.158.20280TCP
                                                                                2024-10-24T08:39:19.646253+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749978185.208.158.20280TCP
                                                                                2024-10-24T08:39:20.059357+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749978185.208.158.20280TCP
                                                                                2024-10-24T08:39:21.104643+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749979185.208.158.20280TCP
                                                                                2024-10-24T08:39:22.223645+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749980185.208.158.20280TCP
                                                                                2024-10-24T08:39:23.251107+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749981185.208.158.20280TCP
                                                                                2024-10-24T08:39:24.294266+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749982185.208.158.20280TCP
                                                                                2024-10-24T08:39:25.499957+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749983185.208.158.20280TCP
                                                                                2024-10-24T08:39:26.530984+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749984185.208.158.20280TCP
                                                                                2024-10-24T08:39:27.560438+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749985185.208.158.20280TCP
                                                                                2024-10-24T08:39:28.600804+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749986185.208.158.20280TCP
                                                                                2024-10-24T08:39:29.013830+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749986185.208.158.20280TCP
                                                                                2024-10-24T08:39:30.048086+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749987185.208.158.20280TCP
                                                                                2024-10-24T08:39:31.240002+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749988185.208.158.20280TCP
                                                                                2024-10-24T08:39:31.654941+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749988185.208.158.20280TCP
                                                                                2024-10-24T08:39:32.677317+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749989185.208.158.20280TCP
                                                                                2024-10-24T08:39:33.087927+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749989185.208.158.20280TCP
                                                                                2024-10-24T08:39:34.181833+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749990185.208.158.20280TCP
                                                                                2024-10-24T08:39:35.217851+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749991185.208.158.20280TCP
                                                                                2024-10-24T08:39:36.252864+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749992185.208.158.20280TCP
                                                                                2024-10-24T08:39:37.434274+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749993185.208.158.20280TCP
                                                                                2024-10-24T08:39:38.474946+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749994185.208.158.20280TCP
                                                                                2024-10-24T08:39:38.889122+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749994185.208.158.20280TCP
                                                                                2024-10-24T08:39:40.059236+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749995185.208.158.20280TCP
                                                                                2024-10-24T08:39:41.104698+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749996185.208.158.20280TCP
                                                                                2024-10-24T08:39:41.531111+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749996185.208.158.20280TCP
                                                                                2024-10-24T08:39:42.730130+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749997185.208.158.20280TCP
                                                                                2024-10-24T08:39:43.886916+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749998185.208.158.20280TCP
                                                                                2024-10-24T08:39:44.931629+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749999185.208.158.20280TCP
                                                                                2024-10-24T08:39:45.350574+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.749999185.208.158.20280TCP
                                                                                2024-10-24T08:39:46.587156+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750000185.208.158.20280TCP
                                                                                2024-10-24T08:39:46.994428+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750000185.208.158.20280TCP
                                                                                2024-10-24T08:39:47.413255+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750000185.208.158.20280TCP
                                                                                2024-10-24T08:39:47.827263+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750000185.208.158.20280TCP
                                                                                2024-10-24T08:39:48.847390+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750001185.208.158.20280TCP
                                                                                2024-10-24T08:39:50.003155+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750002185.208.158.20280TCP
                                                                                2024-10-24T08:39:51.031996+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750003185.208.158.20280TCP
                                                                                2024-10-24T08:39:52.074017+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750004185.208.158.20280TCP
                                                                                2024-10-24T08:39:53.173299+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750005185.208.158.20280TCP
                                                                                2024-10-24T08:39:54.204248+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750006185.208.158.20280TCP
                                                                                2024-10-24T08:39:55.244055+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750007185.208.158.20280TCP
                                                                                2024-10-24T08:39:55.654276+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750007185.208.158.20280TCP
                                                                                2024-10-24T08:39:56.694822+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750008185.208.158.20280TCP
                                                                                2024-10-24T08:39:57.108054+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750008185.208.158.20280TCP
                                                                                2024-10-24T08:39:58.148476+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750009185.208.158.20280TCP
                                                                                2024-10-24T08:39:58.557709+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750009185.208.158.20280TCP
                                                                                2024-10-24T08:39:58.965649+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750009185.208.158.20280TCP
                                                                                2024-10-24T08:40:00.019052+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750010185.208.158.20280TCP
                                                                                2024-10-24T08:40:01.047550+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750011185.208.158.20280TCP
                                                                                2024-10-24T08:40:02.091518+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750012185.208.158.20280TCP
                                                                                2024-10-24T08:40:03.251070+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750013185.208.158.20280TCP
                                                                                2024-10-24T08:40:04.299491+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750014185.208.158.20280TCP
                                                                                2024-10-24T08:40:05.325764+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750015185.208.158.20280TCP
                                                                                2024-10-24T08:40:06.374572+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750016185.208.158.20280TCP
                                                                                2024-10-24T08:40:07.403667+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750017185.208.158.20280TCP
                                                                                2024-10-24T08:40:08.434228+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750018185.208.158.20280TCP
                                                                                2024-10-24T08:40:09.464187+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750019185.208.158.20280TCP
                                                                                2024-10-24T08:40:10.561628+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750020185.208.158.20280TCP
                                                                                2024-10-24T08:40:11.582435+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750021185.208.158.20280TCP
                                                                                2024-10-24T08:40:12.630483+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750022185.208.158.20280TCP
                                                                                2024-10-24T08:40:13.674515+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750023185.208.158.20280TCP
                                                                                2024-10-24T08:40:14.697202+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750024185.208.158.20280TCP
                                                                                2024-10-24T08:40:15.750947+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750025185.208.158.20280TCP
                                                                                2024-10-24T08:40:16.791816+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750026185.208.158.20280TCP
                                                                                2024-10-24T08:40:17.833952+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750029185.208.158.20280TCP
                                                                                2024-10-24T08:40:18.851043+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750030185.208.158.20280TCP
                                                                                2024-10-24T08:40:19.911339+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.750031185.208.158.20280TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 24, 2024 08:39:08.193377018 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:08.199911118 CEST8049970185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:08.200027943 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:08.205570936 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:08.212253094 CEST8049970185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:09.105277061 CEST8049970185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:09.105457067 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.358619928 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.358978033 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.364322901 CEST8049970185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:09.364451885 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:09.364537001 CEST4997080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.364593983 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.364731073 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:09.370141983 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:10.283449888 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:10.283560038 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:10.284661055 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:10.289975882 CEST20234997389.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:10.290097952 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:10.290200949 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:10.295468092 CEST20234997389.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:10.295552015 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:10.300849915 CEST20234997389.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:11.118453026 CEST20234997389.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:11.161775112 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:13.134195089 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:13.139574051 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:13.460268974 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:13.460462093 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:13.571023941 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:13.576421022 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.210381031 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.210485935 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.211664915 CEST499742023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:14.216999054 CEST20234997489.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:14.217144012 CEST499742023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:14.217223883 CEST499742023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:14.217273951 CEST499742023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:14.222520113 CEST20234997489.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:14.263030052 CEST20234997489.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:14.322221994 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.327954054 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.625370026 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.625507116 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.742993116 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.743592978 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.751094103 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.751214027 CEST8049971185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.751230001 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.751338005 CEST4997180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.751656055 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:14.757164001 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:14.817291021 CEST20234997489.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:39:14.817488909 CEST499742023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:39:15.674312115 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:15.674387932 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:15.792576075 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:15.798161030 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:16.093899965 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:16.094026089 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.213016033 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.213409901 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.218539953 CEST8049975185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:16.218635082 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:16.218697071 CEST4997580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.218760967 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.219053030 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:16.224330902 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.115747929 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.116086006 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.227799892 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.233156919 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.533413887 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.533505917 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.649502993 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.650341034 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.655421019 CEST8049976185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.655569077 CEST4997680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.655695915 CEST8049977185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:17.655966997 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.656054020 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:17.661348104 CEST8049977185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:18.551655054 CEST8049977185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:18.551736116 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.729037046 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.729500055 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.734452963 CEST8049977185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:18.734534979 CEST4997780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.734802008 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:18.734899998 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.735218048 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:18.740530968 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:19.646178007 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:19.646253109 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:19.758604050 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:19.763858080 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:20.059242964 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:20.059356928 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.182120085 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.182735920 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.187959909 CEST8049978185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:20.188045025 CEST4997880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.188095093 CEST8049979185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:20.188153028 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.188297033 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:20.193532944 CEST8049979185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:21.104504108 CEST8049979185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:21.104643106 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.307053089 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.312678099 CEST8049979185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:21.312732935 CEST4997980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.315124035 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.320573092 CEST8049980185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:21.320923090 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.330391884 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:21.335722923 CEST8049980185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:22.223391056 CEST8049980185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:22.223644972 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.336639881 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.337626934 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.342257023 CEST8049980185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:22.342323065 CEST4998080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.342969894 CEST8049981185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:22.343096018 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.343426943 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:22.348867893 CEST8049981185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:23.250880957 CEST8049981185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:23.251106977 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.375107050 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.376107931 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.380629063 CEST8049981185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:23.380733013 CEST4998180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.381453037 CEST8049982185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:23.381769896 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.382129908 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:23.387413979 CEST8049982185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:24.294122934 CEST8049982185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:24.294265985 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.583890915 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.589206934 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.589576960 CEST8049982185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:24.589687109 CEST4998280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.594661951 CEST8049983185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:24.594744921 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.598078012 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:24.603564978 CEST8049983185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:25.499790907 CEST8049983185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:25.499957085 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.619290113 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.619657040 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.624907017 CEST8049983185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:25.624972105 CEST8049984185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:25.625020027 CEST4998380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.625164986 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.625366926 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:25.630670071 CEST8049984185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:26.530853987 CEST8049984185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:26.530983925 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.650918961 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.651325941 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.656722069 CEST8049985185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:26.656776905 CEST8049984185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:26.656856060 CEST4998480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.656869888 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.656968117 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:26.662242889 CEST8049985185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:27.560373068 CEST8049985185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:27.560437918 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.680885077 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.681757927 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.686717987 CEST8049985185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:27.686857939 CEST4998580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.687364101 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:27.687448978 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.687634945 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:27.693203926 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:28.600738049 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:28.600804090 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:28.711997986 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:28.717556000 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:29.013678074 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:29.013829947 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.133630037 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.134229898 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.139430046 CEST8049986185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:29.139497995 CEST8049987185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:29.139502048 CEST4998680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.139584064 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.139707088 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:29.144949913 CEST8049987185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:30.047926903 CEST8049987185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:30.048085928 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.303873062 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.304292917 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.309448004 CEST8049987185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:30.309520006 CEST4998780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.309609890 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:30.309690952 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.330167055 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:30.335529089 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.239898920 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.240001917 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.354116917 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.359415054 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.654791117 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.654941082 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.776429892 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.776784897 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.782123089 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.782151937 CEST8049988185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:31.782229900 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.782416105 CEST4998880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.791066885 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:31.796427965 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:32.677212954 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:32.677316904 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:32.791158915 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:32.796494961 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:33.087789059 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:33.087927103 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.273266077 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.273948908 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.278783083 CEST8049989185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:33.278906107 CEST4998980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.279288054 CEST8049990185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:33.279370070 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.381036043 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:33.386301994 CEST8049990185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:34.181660891 CEST8049990185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:34.181833029 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.308516026 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.309047937 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.314759970 CEST8049990185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:34.314773083 CEST8049991185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:34.314971924 CEST4999080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.314975023 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.315265894 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:34.320550919 CEST8049991185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:35.217695951 CEST8049991185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:35.217850924 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.336654902 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.337023973 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.342386007 CEST8049991185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:35.342431068 CEST8049992185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:35.342497110 CEST4999180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.342719078 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.342888117 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:35.348220110 CEST8049992185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:36.252799988 CEST8049992185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:36.252863884 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.519959927 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.524657011 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.526272058 CEST8049992185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:36.526352882 CEST4999280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.529959917 CEST8049993185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:36.530050039 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.693208933 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:36.898927927 CEST8049993185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:37.434020042 CEST8049993185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:37.434273958 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.555975914 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.556416035 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.561430931 CEST8049993185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:37.561755896 CEST4999380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.561755896 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:37.561842918 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.562046051 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:37.567398071 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:38.474853992 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:38.474946022 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:38.587055922 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:38.592411995 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:38.888993979 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:38.889122009 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.009900093 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.010381937 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.140283108 CEST8049995185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:39.140410900 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.140492916 CEST8049994185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:39.140564919 CEST4999480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.141186953 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:39.146430016 CEST8049995185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:40.059159994 CEST8049995185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:40.059236050 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.180620909 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.180994034 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.186712980 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:40.186862946 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.187120914 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.187169075 CEST8049995185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:40.187235117 CEST4999580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:40.192756891 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.104644060 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.104697943 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.216331959 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.221802950 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.531013966 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.531111002 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.649549007 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.649878025 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.814904928 CEST8049997185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.815052986 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.815221071 CEST8049996185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:41.815304995 CEST4999680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.815632105 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:41.820895910 CEST8049997185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:42.729968071 CEST8049997185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:42.730129957 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.949531078 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.949875116 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.955252886 CEST8049997185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:42.955267906 CEST8049998185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:42.955348015 CEST4999780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.955399036 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.957026958 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:42.962260008 CEST8049998185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:43.886637926 CEST8049998185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:43.886915922 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.008755922 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.009264946 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.014553070 CEST8049998185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:44.014674902 CEST4999880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.014697075 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:44.014786005 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.014981985 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:44.020360947 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:44.931564093 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:44.931628942 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.039958000 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.045408010 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:45.350481033 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:45.350574017 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.675760984 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.676227093 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.681389093 CEST8049999185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:45.681448936 CEST4999980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.681541920 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:45.681642056 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.690151930 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:45.695589066 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:46.586975098 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:46.587156057 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:46.696304083 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:46.701608896 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:46.994220018 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:46.994427919 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.102365017 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.107786894 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.413094044 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.413254976 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.527667046 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.532977104 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.825355053 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.827263117 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.947351933 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.947848082 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.953211069 CEST8050000185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.953228951 CEST8050001185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:47.953309059 CEST5000080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.953350067 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.953521967 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:47.958859921 CEST8050001185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:48.847296953 CEST8050001185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:48.847389936 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.094743013 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.095242977 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.100425959 CEST8050001185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:49.100474119 CEST5000180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.100505114 CEST8050002185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:49.100611925 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.106192112 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:49.111476898 CEST8050002185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:50.003026962 CEST8050002185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:50.003154993 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.121054888 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.121551037 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.126724005 CEST8050002185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:50.126796961 CEST5000280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.126842022 CEST8050003185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:50.126914978 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.127083063 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:50.132360935 CEST8050003185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:51.031929016 CEST8050003185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:51.031996012 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.153664112 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.154138088 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.159287930 CEST8050003185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:51.159426928 CEST5000380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.159485102 CEST8050004185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:51.159553051 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.159797907 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:51.165106058 CEST8050004185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:52.073820114 CEST8050004185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:52.074017048 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.196266890 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.196635962 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.202008963 CEST8050005185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:52.202136993 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.202346087 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.203758955 CEST8050004185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:52.203819036 CEST5000480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:52.207684994 CEST8050005185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:53.173115015 CEST8050005185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:53.173299074 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.290623903 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.291459084 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.296365023 CEST8050005185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:53.296483994 CEST5000580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.296847105 CEST8050006185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:53.296950102 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.297341108 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:53.302665949 CEST8050006185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:54.204147100 CEST8050006185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:54.204247952 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.325655937 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.326064110 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.331418037 CEST8050006185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:54.331434965 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:54.331546068 CEST5000680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.331603050 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.331841946 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:54.337080956 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.243922949 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.244055033 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.353753090 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.359147072 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.654160023 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.654275894 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.774513960 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.774993896 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.780365944 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.780383110 CEST8050007185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:55.780499935 CEST5000780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.780673027 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.780673027 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:55.786016941 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:56.694684982 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:56.694822073 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:56.805766106 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:56.811183929 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:57.107604027 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:57.108053923 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.228287935 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.228655100 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.234200001 CEST8050008185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:57.234225988 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:57.234283924 CEST5000880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.234354973 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.234703064 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:57.239984989 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.148366928 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.148475885 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:58.258801937 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:58.264100075 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.557614088 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.557708979 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:58.665208101 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:58.671839952 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.965477943 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:58.965648890 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.086922884 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.087553978 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.092819929 CEST8050009185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:59.092896938 CEST5000980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.092900038 CEST8050010185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:39:59.093072891 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.093203068 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:39:59.098459005 CEST8050010185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:00.018970966 CEST8050010185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:00.019052029 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.133922100 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.134311914 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.139794111 CEST8050010185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:00.139854908 CEST5001080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.139858007 CEST8050011185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:00.139921904 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.140077114 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:00.145392895 CEST8050011185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:01.047221899 CEST8050011185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:01.047549963 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.165115118 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.165577888 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.170969009 CEST8050012185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:01.171145916 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.171145916 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.171183109 CEST8050011185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:01.171237946 CEST5001180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:01.176762104 CEST8050012185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:02.091449022 CEST8050012185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:02.091517925 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.347981930 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.348387957 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.353595018 CEST8050012185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:02.353683949 CEST5001280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.353744030 CEST8050013185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:02.353924990 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.353925943 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:02.359416008 CEST8050013185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:03.250802040 CEST8050013185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:03.251070023 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.376816988 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.376996040 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.382339954 CEST8050014185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:03.382472038 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.382550001 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.382814884 CEST8050013185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:03.382935047 CEST5001380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:03.387794018 CEST8050014185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:04.299305916 CEST8050014185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:04.299490929 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.414988041 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.415344000 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.420726061 CEST8050015185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:04.420903921 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.420944929 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.420981884 CEST8050014185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:04.421046019 CEST5001480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:04.426282883 CEST8050015185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:05.325705051 CEST8050015185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:05.325763941 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.445838928 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.446177006 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.451467037 CEST8050016185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:05.451551914 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.451558113 CEST8050015185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:05.451617002 CEST5001580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.451731920 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:05.457043886 CEST8050016185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:06.374397993 CEST8050016185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:06.374572039 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.492743015 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.493179083 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.499350071 CEST8050017185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:06.499527931 CEST8050016185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:06.499607086 CEST5001680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.499622107 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.499881983 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:06.505100965 CEST8050017185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:07.403609991 CEST8050017185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:07.403666973 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.524380922 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.524744034 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.530083895 CEST8050017185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:07.530133963 CEST8050018185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:07.530160904 CEST5001780192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.530234098 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.530353069 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:07.535866976 CEST8050018185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:08.434101105 CEST8050018185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:08.434227943 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.555728912 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.556011915 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.561518908 CEST8050019185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:08.561536074 CEST8050018185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:08.561609030 CEST5001880192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.561638117 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.561806917 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:08.567051888 CEST8050019185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:09.464025974 CEST8050019185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:09.464186907 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.651846886 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.652169943 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.657677889 CEST8050019185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:09.657720089 CEST8050020185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:09.657789946 CEST5001980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.657812119 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.658010006 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:09.663325071 CEST8050020185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:10.561517954 CEST8050020185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:10.561628103 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.680634022 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.681052923 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.686245918 CEST8050020185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:10.686346054 CEST5002080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.686362982 CEST8050021185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:10.686434984 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.686616898 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:10.691857100 CEST8050021185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:11.582232952 CEST8050021185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:11.582434893 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.698415041 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.698725939 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.704049110 CEST8050021185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:11.704066038 CEST8050022185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:11.704145908 CEST5002180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.704238892 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.704459906 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:11.710426092 CEST8050022185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:12.630403996 CEST8050022185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:12.630482912 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.745851994 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.746259928 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.751502037 CEST8050022185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:12.751611948 CEST5002280192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.751641989 CEST8050023185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:12.751887083 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.752079964 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:12.757301092 CEST8050023185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:13.674329042 CEST8050023185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:13.674515009 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.792047977 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.792469025 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.797790051 CEST8050023185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:13.797808886 CEST8050024185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:13.797874928 CEST5002380192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.797949076 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.798141003 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:13.803407907 CEST8050024185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:14.696751118 CEST8050024185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:14.697201967 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.827882051 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.828159094 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.834321022 CEST8050025185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:14.834336996 CEST8050024185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:14.834408045 CEST5002480192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.834412098 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.835114956 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:14.841213942 CEST8050025185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:15.750861883 CEST8050025185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:15.750946999 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.872184038 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.872854948 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.879180908 CEST8050025185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:15.879249096 CEST5002580192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.879403114 CEST8050026185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:15.879477024 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.879641056 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:15.886215925 CEST8050026185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:16.029459953 CEST20234997389.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:16.048774004 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:16.048805952 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:16.048888922 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:16.049082041 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:16.054676056 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:16.054738998 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:16.054831982 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:16.060467005 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:16.060534000 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:16.067193985 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:16.099396944 CEST499732023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:16.791733980 CEST8050026185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:16.791815996 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.917058945 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.917763948 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.922523022 CEST8050026185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:16.922594070 CEST5002680192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.923170090 CEST8050029185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:16.923296928 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.923456907 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:16.928695917 CEST8050029185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:16.964615107 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:16.967427015 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:16.967468023 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:17.005656958 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:17.810833931 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:17.811058998 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:17.816498041 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:17.833862066 CEST8050029185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:17.833951950 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.865051985 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:17.949294090 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.949789047 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.954907894 CEST8050029185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:17.954978943 CEST5002980192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.955055952 CEST8050030185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:17.955156088 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.955332994 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:17.960665941 CEST8050030185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:18.132222891 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.132348061 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:18.132390976 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:18.133833885 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:18.133843899 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:18.133913040 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:18.134051085 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:18.139492989 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.139518976 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.139532089 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.139552116 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:18.144947052 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.522722006 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.523180962 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:18.523436069 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:18.523811102 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:18.529134989 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.568186045 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:18.568208933 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:18.568398952 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:18.573679924 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:18.615123987 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:18.850888014 CEST8050030185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:18.851042986 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.979522943 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.979862928 CEST5003180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.985053062 CEST8050030185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:18.985152006 CEST8050031185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:18.985203028 CEST5003080192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.985431910 CEST5003180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.985562086 CEST5003180192.168.2.7185.208.158.202
                                                                                Oct 24, 2024 08:40:18.990806103 CEST8050031185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140914917 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140933990 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140942097 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140964031 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140985012 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.140991926 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.141064882 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:19.141084909 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.141093016 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.141114950 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.141177893 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:19.141177893 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:19.141177893 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:19.468988895 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:19.469153881 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:19.469162941 CEST50027443192.168.2.7104.102.49.254
                                                                                Oct 24, 2024 08:40:19.469185114 CEST44350027104.102.49.254192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474423885 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474462986 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474518061 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:19.474632025 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474649906 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474662066 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474679947 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474690914 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474697113 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:19.474703074 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474728107 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474739075 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474750042 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474795103 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474816084 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.474823952 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.480137110 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.480281115 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.480561018 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.480808973 CEST20235002889.105.201.183192.168.2.7
                                                                                Oct 24, 2024 08:40:19.480863094 CEST500282023192.168.2.789.105.201.183
                                                                                Oct 24, 2024 08:40:19.911072969 CEST8050031185.208.158.202192.168.2.7
                                                                                Oct 24, 2024 08:40:19.911339045 CEST5003180192.168.2.7185.208.158.202

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 24, 2024 08:39:07.749810934 CEST6466353192.168.2.745.155.250.90
                                                                                Oct 24, 2024 08:39:07.784080029 CEST536466345.155.250.90192.168.2.7
                                                                                Oct 24, 2024 08:40:16.037048101 CEST6035853192.168.2.71.1.1.1
                                                                                Oct 24, 2024 08:40:16.044290066 CEST53603581.1.1.1192.168.2.7

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Oct 24, 2024 08:39:07.749810934 CEST192.168.2.745.155.250.900xe69eStandard query (0)csvskfe.netA (IP address)IN (0x0001)false
                                                                                Oct 24, 2024 08:40:16.037048101 CEST192.168.2.71.1.1.10x3577Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Oct 24, 2024 08:38:10.261353970 CEST1.1.1.1192.168.2.70x7d42No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                Oct 24, 2024 08:38:10.261353970 CEST1.1.1.1192.168.2.70x7d42No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                Oct 24, 2024 08:38:10.261353970 CEST1.1.1.1192.168.2.70x7d42No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                Oct 24, 2024 08:39:07.784080029 CEST45.155.250.90192.168.2.70xe69eNo error (0)csvskfe.net185.208.158.202A (IP address)IN (0x0001)false
                                                                                Oct 24, 2024 08:40:16.044290066 CEST1.1.1.1192.168.2.70x3577No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • https:
                                                                                  • steamcommunity.com
                                                                                • csvskfe.net

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.749970185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:08.205570936 CEST318OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:09.105277061 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:08 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.749971185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:09.364731073 CEST318OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf616c5ee9c9f3f HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:10.283449888 CEST806INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:10 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 32 35 36 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 63 36 39 35 39 61 62 37 32 65 38 36 36 61 63 33 37 34 62 63 32 66 64 64 30 30 32 63 32 34 33 63 64 37 64 62 62 31 34 66 61 32 64 38 64 32 30 66 61 31 36 61 31 37 38 63 37 35 30 62 33 65 39 34 64 65 64 35 61 37 66 34 38 65 64 32 33 36 36 38 62 33 39 36 32 38 65 65 31 31 34 63 38 66 31 39 37 39 39 33 32 63 37 36 65 39 36 31 36 64 38 35 62 38 37 32 38 61 38 35 62 62 33 65 62 34 31 32 30 65 62 37 61 63 63 66 63 37 64 62 63 38 35 65 61 64 35 34 61 65 36 33 35 63 38 31 31 33 64 34 33 35 38 32 30 66 64 32 31 37 32 31 36 36 37 62 39 65 34 38 37 66 62 38 36 32 64 35 61 65 65 35 66 36 35 32 30 66 38 32 64 34 33 66 30 66 61 66 39 38 64 66 39 33 37 37 31 61 35 65 64 34 37 39 32 38 66 66 32 37 38 33 39 31 [TRUNCATED]
                                                                                Data Ascii: 25667b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592dec6959ab72e866ac374bc2fdd002c243cd7dbb14fa2d8d20fa16a178c750b3e94ded5a7f48ed23668b39628ee114c8f1979932c76e9616d85b8728a85bb3eb4120eb7accfc7dbc85ead54ae635c8113d435820fd21721667b9e487fb862d5aee5f6520f82d43f0faf98df93771a5ed47928ff2783915be76ee99caac64d4680f293164ac5ccfd5a8272cbfca10bb02a7a331bdcfca30742a05da34f512ebd9a0054bd42112c35dd1f6639d26b49740a0e3d4b6c13e24a07abfeb0098a0bc7351a18ff13facfa849819ee0aeb50834c6ccfa390b89c1208fdc6b963f1799f5e72ef7abb788cdc43c64be76d5b4f0ac7d56b573f54608ef5872f1c0
                                                                                Oct 24, 2024 08:39:13.134195089 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:13.460268974 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:13.571023941 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:14.210381031 CEST662INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 31 63 36 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 62 39 30 63 64 65 64 31 38 30 31 65 61 61 36 35 30 66 34 30 31 64 37 66 61 38 31 65 66 39 34 38 37 34 64 38 62 34 38 64 36 66 62 64 39 33 32 32 39 61 31 34 62 65 30 64 36 63 37 31 31 32 61 65 61 37 37 35 38 61 64 37 65 66 37 36 30 61 38 32 64 35 37 63 35 66 65 63 64 30 64 63 38 35 64 63 66 37 65 62 39 31 61 66 65 33 33 38 61 32 36 65 66 31 38 61 34 37 38 63 37 35 33 62 39 66 64 34 66 65 62 35 62 36 31 34 32 65 38 32 31 36 64 39 30 33 62 36 37 38 65 66 34 31 30 63 37 65 37 38 62 39 38 33 62 64 33 36 62 39 36 30 38 64 39 35 30 38 37 32 30 62 33 35 39 62 33 65 32 35 37 32 32 66 33 37 61 64 34 66 61 36 37 62 65 38 39 66 31 64 34 34 39 65 66 33 34 63 38 31 36 33 35 35 64 35 31 32 39 65 31 33 62 37 34 30 62 37 38 62 38 65 64 38 63 65 30 38 37 32 38 35 32 65 63 35 64 37 62 32 31 66 65 32 31 35 63 66 66 66 39 66 39 38 65 66 66 33 64 36 35 61 37 65 66 35 39 39 33 38 37 66 65 37 30 32 36 31 [TRUNCATED]
                                                                                Data Ascii: 1c667b69c953804b26b565fe95b321bd19a55fb90cded1801eaa650f401d7fa81ef94874d8b48d6fbd93229a14be0d6c7112aea7758ad7ef760a82d57c5fecd0dc85dcf7eb91afe338a26ef18a478c753b9fd4feb5b6142e8216d903b678ef410c7e78b983bd36b9608d9508720b359b3e25722f37ad4fa67be89f1d449ef34c816355d5129e13b740b78b8ed8ce0872852ec5d7b21fe215cfff9f98eff3d65a7ef599387fe702613bd68e491cfac64d4631b2a3562b256c9d5a73c2ebac20db91ebba336a6c4ce376a280cd53ae813eed1b50647d72112c054c5f5608324bd955ea2e2e00
                                                                                Oct 24, 2024 08:39:14.322221994 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:14.625370026 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:14 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.749975185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:14.751656055 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:15.674312115 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:15.792576075 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:16.093899965 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.749976185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:16.219053030 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:17.115747929 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:17.227799892 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:17.533413887 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.749977185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:17.656054020 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:18.551655054 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:18 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.749978185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:18.735218048 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:19.646178007 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:19.758604050 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:20.059242964 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.749979185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:20.188297033 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:21.104504108 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:20 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.749980185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:21.330391884 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:22.223391056 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:22 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.749981185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:22.343426943 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:23.250880957 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:23 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.749982185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:23.382129908 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:24.294122934 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:24 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.749983185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:24.598078012 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:25.499790907 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:25 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.749984185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:25.625366926 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:26.530853987 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:26 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.749985185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:26.656968117 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:27.560373068 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:27 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.749986185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:27.687634945 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:28.600738049 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:28.711997986 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:29.013678074 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.749987185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:29.139707088 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:30.047926903 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:29 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.749988185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:30.330167055 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:31.239898920 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:31.354116917 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:31.654791117 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.749989185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:31.791066885 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:32.677212954 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:32 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:32.791158915 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:33.087789059 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:32 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.749990185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:33.381036043 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:34.181660891 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:34 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.749991185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:34.315265894 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:35.217695951 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:35 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.749992185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:35.342888117 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:36.252799988 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:36 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.749993185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:36.693208933 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:37.434020042 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:37 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.749994185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:37.562046051 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:38.474853992 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:38.587055922 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:38.888993979 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.749995185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:39.141186953 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:40.059159994 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:39 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.749996185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:40.187120914 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:41.104644060 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:40 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:41.216331959 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:41.531013966 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:41 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.749997185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:41.815632105 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:42.729968071 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:42 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.749998185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:42.957026958 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:43.886637926 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:43 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.749999185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:44.014981985 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:44.931564093 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:44 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:45.039958000 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:45.350481033 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:45 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.750000185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:45.690151930 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:46.586975098 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:46 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:46.696304083 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:46.994220018 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:46 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:47.102365017 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:47.413094044 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:47 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:47.527667046 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:47.825355053 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:47 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.750001185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:47.953521967 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:48.847296953 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:48 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.750002185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:49.106192112 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:50.003026962 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:49 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.750003185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:50.127083063 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:51.031929016 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:50 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.750004185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:51.159797907 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:52.073820114 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:51 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.750005185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:52.202346087 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:53.173115015 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:52 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.750006185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:53.297341108 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:54.204147100 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:54 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.750007185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:54.331841946 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:55.243922949 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:55.353753090 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:55.654160023 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.750008185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:55.780673027 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:56.694684982 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:56 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:56.805766106 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:57.107604027 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:56 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.750009185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:57.234703064 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:58.148366928 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:58.258801937 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:58.557614088 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20
                                                                                Oct 24, 2024 08:39:58.665208101 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:39:58.965477943 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.750010185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:39:59.093203068 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:00.018970966 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:39:59 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.750011185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:00.140077114 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:01.047221899 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:00 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.750012185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:01.171145916 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:02.091449022 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:01 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.750013185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:02.353925943 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:03.250802040 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:03 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.750014185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:03.382550001 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:04.299305916 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.750015185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:04.420944929 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:05.325705051 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:05 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.750016185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:05.451731920 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:06.374397993 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:06 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.750017185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:06.499881983 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:07.403609991 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.750018185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:07.530353069 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:08.434101105 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:08 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                46192.168.2.750019185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:08.561806917 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:09.464025974 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                47192.168.2.750020185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:09.658010006 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:10.561517954 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:10 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                48192.168.2.750021185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:10.686616898 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:11.582232952 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:11 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                49192.168.2.750022185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:11.704459906 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:12.630403996 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:12 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                50192.168.2.750023185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:12.752079964 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:13.674329042 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                51192.168.2.750024185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:13.798141003 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:14.696751118 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:14 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                52192.168.2.750025185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:14.835114956 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:15.750861883 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                53192.168.2.750026185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:15.879641056 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:16.791733980 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                54192.168.2.750029185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:16.923456907 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:17.833862066 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                55192.168.2.750030185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:17.955332994 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:18.850888014 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:18 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                56192.168.2.750031185.208.158.202807644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 24, 2024 08:40:18.985562086 CEST326OUTGET /search/?q=67e28dd86f09f429110aa5197c27d78406abdd88be4b12eab517aa5c96bd86e9978f4a885a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed9c9d3ecc669312 HTTP/1.1
                                                                                Host: csvskfe.net
                                                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                Oct 24, 2024 08:40:19.911072969 CEST220INHTTP/1.1 200 OK
                                                                                Server: nginx/1.20.1
                                                                                Date: Thu, 24 Oct 2024 06:40:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Powered-By: PHP/7.4.33
                                                                                Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e67b680813008c20


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.750027104.102.49.2544437644C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-24 06:40:18 UTC564OUTGET /inventory/76561199007797490/730/2?l=english&count=2000 HTTP/1.1
                                                                                Referer: https://steamcommunity.com/profiles/76561199007797490/inventory/
                                                                                X-Requested-With: XMLHttpRequest
                                                                                X-Prototype-Version: 1.7
                                                                                Accept: text/javascript, text/html, application/xml, text/xml, */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Cache-Control: no-cache
                                                                                DNT: 1
                                                                                Pragma: no-cache
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                                                                host: steamcommunity.com
                                                                                Connection: close
                                                                                2024-10-24 06:40:19 UTC438INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Content-Type: application/json; charset=utf-8
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                Cache-Control: no-cache
                                                                                Date: Thu, 24 Oct 2024 06:40:18 GMT
                                                                                Content-Length: 19759
                                                                                Connection: close
                                                                                Set-Cookie: sessionid=0db64d85b7c0d431c65342d9; Path=/; Secure; SameSite=None
                                                                                Set-Cookie: steamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=None
                                                                                2024-10-24 06:40:19 UTC15946INData Raw: 7b 22 61 73 73 65 74 73 22 3a 5b 7b 22 61 70 70 69 64 22 3a 37 33 30 2c 22 63 6f 6e 74 65 78 74 69 64 22 3a 22 32 22 2c 22 61 73 73 65 74 69 64 22 3a 22 33 34 30 34 34 35 39 30 31 34 31 22 2c 22 63 6c 61 73 73 69 64 22 3a 22 35 35 33 37 30 32 36 34 39 33 22 2c 22 69 6e 73 74 61 6e 63 65 69 64 22 3a 22 30 22 2c 22 61 6d 6f 75 6e 74 22 3a 22 31 22 7d 2c 7b 22 61 70 70 69 64 22 3a 37 33 30 2c 22 63 6f 6e 74 65 78 74 69 64 22 3a 22 32 22 2c 22 61 73 73 65 74 69 64 22 3a 22 33 34 30 34 34 35 39 30 31 34 30 22 2c 22 63 6c 61 73 73 69 64 22 3a 22 35 35 33 37 30 32 36 34 39 34 22 2c 22 69 6e 73 74 61 6e 63 65 69 64 22 3a 22 30 22 2c 22 61 6d 6f 75 6e 74 22 3a 22 31 22 7d 2c 7b 22 61 70 70 69 64 22 3a 37 33 30 2c 22 63 6f 6e 74 65 78 74 69 64 22 3a 22 32 22 2c 22
                                                                                Data Ascii: {"assets":[{"appid":730,"contextid":"2","assetid":"34044590141","classid":"5537026493","instanceid":"0","amount":"1"},{"appid":730,"contextid":"2","assetid":"34044590140","classid":"5537026494","instanceid":"0","amount":"1"},{"appid":730,"contextid":"2","
                                                                                2024-10-24 06:40:19 UTC3813INData Raw: 69 6e 74 65 72 6e 61 6c 5f 6e 61 6d 65 22 3a 22 52 61 72 69 74 79 5f 43 6f 6d 6d 6f 6e 22 2c 22 6c 6f 63 61 6c 69 7a 65 64 5f 63 61 74 65 67 6f 72 79 5f 6e 61 6d 65 22 3a 22 51 75 61 6c 69 74 79 22 2c 22 6c 6f 63 61 6c 69 7a 65 64 5f 74 61 67 5f 6e 61 6d 65 22 3a 22 42 61 73 65 20 47 72 61 64 65 22 2c 22 63 6f 6c 6f 72 22 3a 22 62 30 63 33 64 39 22 7d 2c 7b 22 63 61 74 65 67 6f 72 79 22 3a 22 53 70 72 61 79 43 6f 6c 6f 72 43 61 74 65 67 6f 72 79 22 2c 22 69 6e 74 65 72 6e 61 6c 5f 6e 61 6d 65 22 3a 22 54 69 6e 74 31 39 22 2c 22 6c 6f 63 61 6c 69 7a 65 64 5f 63 61 74 65 67 6f 72 79 5f 6e 61 6d 65 22 3a 22 47 72 61 66 66 69 74 69 20 43 6f 6c 6f 72 22 2c 22 6c 6f 63 61 6c 69 7a 65 64 5f 74 61 67 5f 6e 61 6d 65 22 3a 22 53 68 61 72 6b 20 57 68 69 74 65 22 7d
                                                                                Data Ascii: internal_name":"Rarity_Common","localized_category_name":"Quality","localized_tag_name":"Base Grade","color":"b0c3d9"},{"category":"SprayColorCategory","internal_name":"Tint19","localized_category_name":"Graffiti Color","localized_tag_name":"Shark White"}


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:02:38:11
                                                                                Start date:24/10/2024
                                                                                Path:C:\Users\user\Desktop\hAyQbTcI0I.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\hAyQbTcI0I.exe"
                                                                                Imagebase:0x400000
                                                                                File size:4'345'372 bytes
                                                                                MD5 hash:08B4F4533262033C2A77F079C9C72949
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:2
                                                                                Start time:02:38:11
                                                                                Start date:24/10/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user~1\AppData\Local\Temp\is-FR14S.tmp\hAyQbTcI0I.tmp" /SL5="$1043E,4073274,53248,C:\Users\user\Desktop\hAyQbTcI0I.exe"
                                                                                Imagebase:0x400000
                                                                                File size:680'960 bytes
                                                                                MD5 hash:161D763BD5AAFAFDDA6E2D06CC832D98
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:3
                                                                                Start time:02:38:13
                                                                                Start date:24/10/2024
                                                                                Path:C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Local\DP Free Video Converter\dpfreevideoconverter3264.exe" -i
                                                                                Imagebase:0x400000
                                                                                File size:2'800'128 bytes
                                                                                MD5 hash:EE5ECF7045884A8234C995C6D38B7A90
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2601753399.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 34%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:5
                                                                                Start time:02:38:57
                                                                                Start date:24/10/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                Imagebase:0x7ff7b4ee0000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:21.4%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:2.4%
                                                                                  Total number of Nodes:1511
                                                                                  Total number of Limit Nodes:16
                                                                                  execution_graph 5577 407544 ReadFile 5578 407564 5577->5578 5579 40757b 5577->5579 5580 407574 5578->5580 5581 40756a GetLastError 5578->5581 5582 4073a4 21 API calls 5580->5582 5581->5579 5581->5580 5582->5579 6581 402b48 RaiseException 6582 40294a 6583 402952 6582->6583 6584 402967 6583->6584 6585 403554 4 API calls 6583->6585 6585->6583 6586 403f4a 6587 403f53 6586->6587 6588 403f5c 6586->6588 6590 403f07 6587->6590 6591 403f09 6590->6591 6592 403e9c 6591->6592 6595 403154 4 API calls 6591->6595 6601 403f3d 6591->6601 6613 403e9c 6591->6613 6594 403f3c 6592->6594 6596 403ef2 6592->6596 6597 403ea9 6592->6597 6604 403e8e 6592->6604 6594->6588 6595->6591 6600 402674 4 API calls 6596->6600 6598 403ecf 6597->6598 6603 402674 4 API calls 6597->6603 6598->6588 6600->6598 6601->6588 6603->6598 6605 403e4c 6604->6605 6606 403e67 6605->6606 6607 403e62 6605->6607 6608 403e7b 6605->6608 6611 403e78 6606->6611 6612 402674 4 API calls 6606->6612 6609 403cc8 4 API calls 6607->6609 6610 402674 4 API calls 6608->6610 6609->6606 6610->6611 6611->6596 6611->6597 6612->6611 6614 403ed7 6613->6614 6620 403ea9 6613->6620 6615 403ef2 6614->6615 6617 403e8e 4 API calls 6614->6617 6618 402674 4 API calls 6615->6618 6616 403ecf 6616->6591 6619 403ee6 6617->6619 6618->6616 6619->6615 6619->6620 6620->6616 6621 402674 4 API calls 6620->6621 6621->6616 6116 409c4d 6117 409c72 6116->6117 6118 40961c 15 API calls 6117->6118 6121 409c77 6118->6121 6119 409cca 6150 4026c4 GetSystemTime 6119->6150 6121->6119 6125 408c34 4 API calls 6121->6125 6122 409ccf 6123 409188 33 API calls 6122->6123 6124 409cd7 6123->6124 6126 4031e8 4 API calls 6124->6126 6128 409ca6 6125->6128 6127 409ce4 6126->6127 6129 40686c 5 API calls 6127->6129 6130 409cae MessageBoxA 6128->6130 6131 409cf1 6129->6131 6130->6119 6132 409cbb 6130->6132 6133 406608 5 API calls 6131->6133 6134 4057b4 5 API calls 6132->6134 6135 409d01 6133->6135 6134->6119 6136 406594 5 API calls 6135->6136 6137 409d12 6136->6137 6138 403340 4 API calls 6137->6138 6139 409d20 6138->6139 6140 4031e8 4 API calls 6139->6140 6141 409d30 6140->6141 6142 4073f8 23 API calls 6141->6142 6143 409d6f 6142->6143 6144 402594 4 API calls 6143->6144 6145 409d8f 6144->6145 6146 407904 5 API calls 6145->6146 6147 409dd1 6146->6147 6148 407b94 23 API calls 6147->6148 6149 409df8 6148->6149 6150->6122 6151 407052 6152 40703c 6151->6152 6153 403198 4 API calls 6152->6153 6154 407044 6153->6154 6155 403198 4 API calls 6154->6155 6156 40704c 6155->6156 6157 403a52 6158 403a5a WriteFile 6157->6158 6160 403a74 6157->6160 6159 403a78 GetLastError 6158->6159 6158->6160 6159->6160 5251 409a54 5290 4030dc 5251->5290 5253 409a6a 5293 4042e8 5253->5293 5255 409a6f 5296 406518 5255->5296 5259 409a79 5306 408efc GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5259->5306 5268 4031e8 4 API calls 5269 409ac5 5268->5269 5342 4073f8 5269->5342 5276 409b52 5362 4073b8 5276->5362 5277 409b14 5277->5276 5390 4098b4 5277->5390 5279 409b93 5366 407904 5279->5366 5280 409b78 5280->5279 5281 4098b4 4 API calls 5280->5281 5281->5279 5283 409bb8 5376 4089e4 5283->5376 5287 409bf8 5288 4089e4 23 API calls 5287->5288 5289 409c2e 5287->5289 5288->5287 5400 403094 5290->5400 5292 4030e1 GetModuleHandleA GetCommandLineA 5292->5253 5294 403154 4 API calls 5293->5294 5295 404323 5293->5295 5294->5295 5295->5255 5401 405bf8 5296->5401 5305 406564 6FDA1CD0 5305->5259 5307 408f4f 5306->5307 5491 406ec4 SetErrorMode 5307->5491 5310 4071a8 5 API calls 5311 408f7f 5310->5311 5312 403198 4 API calls 5311->5312 5313 408f94 5312->5313 5314 409944 GetSystemInfo VirtualQuery 5313->5314 5315 4099f8 5314->5315 5318 40996e 5314->5318 5320 4094b4 5315->5320 5316 4099d9 VirtualQuery 5316->5315 5316->5318 5317 409998 VirtualProtect 5317->5318 5318->5315 5318->5316 5318->5317 5319 4099c7 VirtualProtect 5318->5319 5319->5316 5497 406b0c GetCommandLineA 5320->5497 5322 409571 5324 4031b8 4 API calls 5322->5324 5323 406b68 6 API calls 5327 4094d1 5323->5327 5325 40958b 5324->5325 5328 406b68 5325->5328 5326 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5326->5327 5327->5322 5327->5323 5327->5326 5329 406bb3 GetCommandLineA 5328->5329 5330 406b8f GetModuleFileNameA 5328->5330 5333 406bb8 5329->5333 5331 403278 4 API calls 5330->5331 5332 406bb1 5331->5332 5335 406be0 5332->5335 5334 406bbd 5333->5334 5337 406a2c 4 API calls 5333->5337 5338 406bc5 5333->5338 5336 403198 4 API calls 5334->5336 5339 403198 4 API calls 5335->5339 5336->5338 5337->5333 5340 40322c 4 API calls 5338->5340 5341 406bf5 5339->5341 5340->5335 5341->5268 5343 407402 5342->5343 5518 407490 5343->5518 5521 40748e 5343->5521 5344 40742e 5345 4073a4 21 API calls 5344->5345 5346 407442 5344->5346 5345->5346 5349 409a00 FindResourceA 5346->5349 5350 409a15 5349->5350 5351 409a1a SizeofResource 5349->5351 5352 4098b4 4 API calls 5350->5352 5353 409a27 5351->5353 5354 409a2c LoadResource 5351->5354 5352->5351 5355 4098b4 4 API calls 5353->5355 5356 409a3a 5354->5356 5357 409a3f LockResource 5354->5357 5355->5354 5358 4098b4 4 API calls 5356->5358 5359 409a50 5357->5359 5360 409a4b 5357->5360 5358->5357 5359->5277 5387 407830 5359->5387 5361 4098b4 4 API calls 5360->5361 5361->5359 5363 4073cc 5362->5363 5364 4073dc 5363->5364 5365 407304 20 API calls 5363->5365 5364->5280 5365->5364 5367 407911 5366->5367 5368 4057e0 4 API calls 5367->5368 5369 407965 5367->5369 5368->5369 5370 407830 InterlockedExchange 5369->5370 5371 407977 5370->5371 5372 4057e0 4 API calls 5371->5372 5373 40798d 5371->5373 5372->5373 5374 4079d0 5373->5374 5375 4057e0 4 API calls 5373->5375 5374->5283 5375->5374 5377 408a58 5376->5377 5380 408a12 5376->5380 5524 407b94 5377->5524 5379 408a6c 5382 403198 4 API calls 5379->5382 5380->5377 5381 403278 4 API calls 5380->5381 5384 403420 4 API calls 5380->5384 5385 4031e8 4 API calls 5380->5385 5386 407b94 23 API calls 5380->5386 5381->5380 5383 408a81 5382->5383 5397 404b70 5383->5397 5384->5380 5385->5380 5386->5380 5573 4077dc 5387->5573 5391 4098d5 5390->5391 5392 4098bd 5390->5392 5393 4057e0 4 API calls 5391->5393 5394 4057e0 4 API calls 5392->5394 5396 4098e6 5393->5396 5395 4098cf 5394->5395 5395->5276 5396->5276 5398 402594 4 API calls 5397->5398 5399 404b7b 5398->5399 5399->5287 5400->5292 5402 405890 5 API calls 5401->5402 5403 405c09 5402->5403 5404 4051d0 GetSystemDefaultLCID 5403->5404 5406 405206 5404->5406 5405 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5405->5406 5406->5405 5407 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5406->5407 5408 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5406->5408 5410 405268 5406->5410 5407->5406 5408->5406 5409 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5409->5410 5410->5409 5411 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5410->5411 5412 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5410->5412 5413 4052eb 5410->5413 5411->5410 5412->5410 5414 4031b8 4 API calls 5413->5414 5415 405305 5414->5415 5416 405314 GetSystemDefaultLCID 5415->5416 5473 40515c GetLocaleInfoA 5416->5473 5419 4031e8 4 API calls 5420 405354 5419->5420 5421 40515c 5 API calls 5420->5421 5422 405369 5421->5422 5423 40515c 5 API calls 5422->5423 5424 40538d 5423->5424 5479 4051a8 GetLocaleInfoA 5424->5479 5427 4051a8 GetLocaleInfoA 5428 4053bd 5427->5428 5429 40515c 5 API calls 5428->5429 5430 4053d7 5429->5430 5431 4051a8 GetLocaleInfoA 5430->5431 5432 4053f4 5431->5432 5433 40515c 5 API calls 5432->5433 5434 40540e 5433->5434 5435 4031e8 4 API calls 5434->5435 5436 40541b 5435->5436 5437 40515c 5 API calls 5436->5437 5438 405430 5437->5438 5439 4031e8 4 API calls 5438->5439 5440 40543d 5439->5440 5441 4051a8 GetLocaleInfoA 5440->5441 5442 40544b 5441->5442 5443 40515c 5 API calls 5442->5443 5444 405465 5443->5444 5445 4031e8 4 API calls 5444->5445 5446 405472 5445->5446 5447 40515c 5 API calls 5446->5447 5448 405487 5447->5448 5449 4031e8 4 API calls 5448->5449 5450 405494 5449->5450 5451 40515c 5 API calls 5450->5451 5452 4054a9 5451->5452 5453 4054c6 5452->5453 5454 4054b7 5452->5454 5456 40322c 4 API calls 5453->5456 5487 40322c 5454->5487 5457 4054c4 5456->5457 5458 40515c 5 API calls 5457->5458 5459 4054e8 5458->5459 5460 405505 5459->5460 5461 4054f6 5459->5461 5463 403198 4 API calls 5460->5463 5462 40322c 4 API calls 5461->5462 5464 405503 5462->5464 5463->5464 5481 4033b4 5464->5481 5466 405527 5467 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5466->5467 5468 405541 5467->5468 5469 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5468->5469 5470 40555b 5469->5470 5471 405c44 GetVersionExA 5470->5471 5472 405c5b 5471->5472 5472->5305 5474 405183 5473->5474 5475 405195 5473->5475 5476 403278 4 API calls 5474->5476 5477 40322c 4 API calls 5475->5477 5478 405193 5476->5478 5477->5478 5478->5419 5480 4051c4 5479->5480 5480->5427 5482 4033bc 5481->5482 5483 403254 4 API calls 5482->5483 5484 4033cf 5483->5484 5485 4031e8 4 API calls 5484->5485 5486 4033f7 5485->5486 5489 403230 5487->5489 5488 403252 5488->5457 5489->5488 5490 4025ac 4 API calls 5489->5490 5490->5488 5495 403414 5491->5495 5494 406f12 5494->5310 5496 403418 LoadLibraryA 5495->5496 5496->5494 5504 406a2c 5497->5504 5499 406b2f 5500 406b41 5499->5500 5501 406a2c 4 API calls 5499->5501 5502 403198 4 API calls 5500->5502 5501->5499 5503 406b56 5502->5503 5503->5327 5505 406a58 5504->5505 5506 403278 4 API calls 5505->5506 5507 406a65 5506->5507 5514 403420 5507->5514 5509 406a6d 5510 4031e8 4 API calls 5509->5510 5511 406a85 5510->5511 5512 403198 4 API calls 5511->5512 5513 406aa4 5512->5513 5513->5499 5515 403426 5514->5515 5517 403437 5514->5517 5516 403254 4 API calls 5515->5516 5515->5517 5516->5517 5517->5509 5519 403414 5518->5519 5520 4074cf CreateFileA 5519->5520 5520->5344 5522 407490 5521->5522 5523 4074cf CreateFileA 5522->5523 5523->5344 5525 407ba4 5524->5525 5526 407baf 5524->5526 5532 407db4 5525->5532 5543 407b38 5526->5543 5529 4057e0 4 API calls 5530 407bad 5529->5530 5530->5379 5533 407dc9 5532->5533 5535 407dd8 5533->5535 5550 407ccc 5533->5550 5536 407e12 5535->5536 5537 407ccc 19 API calls 5535->5537 5538 407e26 5536->5538 5539 407ccc 19 API calls 5536->5539 5537->5536 5541 407e52 5538->5541 5547 407d5c 5538->5547 5539->5538 5541->5530 5544 407b8b 5543->5544 5545 407b4c 5543->5545 5544->5529 5544->5530 5545->5544 5561 407a88 5545->5561 5548 407d6b VirtualFree 5547->5548 5549 407d7d VirtualAlloc 5547->5549 5548->5549 5549->5541 5553 405814 5550->5553 5552 407cee 5552->5535 5554 405820 5553->5554 5555 4050e4 19 API calls 5554->5555 5556 40584d 5555->5556 5557 4031e8 4 API calls 5556->5557 5558 405858 5557->5558 5559 403198 4 API calls 5558->5559 5560 40586d 5559->5560 5560->5552 5562 407a93 5561->5562 5563 407aa4 5561->5563 5565 4057e0 4 API calls 5562->5565 5564 4073b8 20 API calls 5563->5564 5566 407ab8 5564->5566 5565->5563 5567 4073b8 20 API calls 5566->5567 5568 407ad9 5567->5568 5569 407830 InterlockedExchange 5568->5569 5570 407aee 5569->5570 5571 407b04 5570->5571 5572 4057e0 4 API calls 5570->5572 5571->5545 5572->5571 5574 4077ee 5573->5574 5575 4077ff 5573->5575 5576 4077f3 InterlockedExchange 5574->5576 5575->5277 5576->5575 6161 402654 6162 403154 4 API calls 6161->6162 6163 402614 6162->6163 6164 402632 6163->6164 6165 403154 4 API calls 6163->6165 6164->6164 6165->6164 4865 407460 4866 40746c CloseHandle 4865->4866 4867 407475 4865->4867 4866->4867 6166 402e64 6167 402e69 6166->6167 6168 402e7a RtlUnwind 6167->6168 6169 402e5e 6167->6169 6170 402e9d 6168->6170 5592 409c68 5593 4098b4 4 API calls 5592->5593 5594 409c6d 5593->5594 5595 409c72 5594->5595 5711 402f24 5594->5711 5629 40961c 5595->5629 5598 409cca 5650 4026c4 GetSystemTime 5598->5650 5600 409c77 5600->5598 5716 408c34 5600->5716 5601 409ccf 5651 409188 5601->5651 5605 4031e8 4 API calls 5607 409ce4 5605->5607 5606 409ca6 5609 409cae MessageBoxA 5606->5609 5669 40686c 5607->5669 5609->5598 5611 409cbb 5609->5611 5719 4057b4 5611->5719 5616 409d12 5696 403340 5616->5696 5618 409d20 5619 4031e8 4 API calls 5618->5619 5620 409d30 5619->5620 5621 4073f8 23 API calls 5620->5621 5622 409d6f 5621->5622 5623 402594 4 API calls 5622->5623 5624 409d8f 5623->5624 5625 407904 5 API calls 5624->5625 5626 409dd1 5625->5626 5627 407b94 23 API calls 5626->5627 5628 409df8 5627->5628 5630 409663 5629->5630 5635 409629 5629->5635 5631 409670 5630->5631 5632 40966c 5630->5632 5729 406f48 GetModuleHandleA GetProcAddress 5631->5729 5633 409679 GetUserDefaultLangID 5632->5633 5642 40966e 5632->5642 5633->5642 5635->5630 5638 409653 5635->5638 5637 40971d 5639 4095d0 5 API calls 5637->5639 5723 4095d0 5638->5723 5641 40965a 5639->5641 5641->5600 5642->5637 5643 4096c1 5642->5643 5644 4096b7 GetACP 5642->5644 5645 4096ce 5642->5645 5646 4095d0 5 API calls 5643->5646 5644->5642 5644->5643 5645->5637 5647 409710 5645->5647 5648 409706 GetACP 5645->5648 5646->5641 5649 4095d0 5 API calls 5647->5649 5648->5645 5648->5647 5649->5641 5650->5601 5654 4091a8 5651->5654 5655 4091cd CreateDirectoryA 5654->5655 5660 408c34 4 API calls 5654->5660 5665 4071a8 5 API calls 5654->5665 5668 4057e0 4 API calls 5654->5668 5816 406c30 5654->5816 5839 40907c 5654->5839 5858 404be4 5654->5858 5861 408c04 5654->5861 5656 409245 5655->5656 5657 4091d7 GetLastError 5655->5657 5658 40322c 4 API calls 5656->5658 5657->5654 5659 40924f 5658->5659 5661 4031b8 4 API calls 5659->5661 5660->5654 5663 409269 5661->5663 5664 4031b8 4 API calls 5663->5664 5666 409276 5664->5666 5665->5654 5666->5605 5668->5654 5970 406764 5669->5970 5672 403454 4 API calls 5673 40688e 5672->5673 5674 406608 5673->5674 5975 406828 5674->5975 5677 406646 5680 403454 4 API calls 5677->5680 5678 406638 5679 403340 4 API calls 5678->5679 5681 406644 5679->5681 5682 406659 5680->5682 5684 403198 4 API calls 5681->5684 5683 403340 4 API calls 5682->5683 5683->5681 5685 40667b 5684->5685 5686 406594 5685->5686 5687 4065c0 5686->5687 5688 40659e 5686->5688 5690 40322c 4 API calls 5687->5690 5981 406894 5688->5981 5692 4065c9 5690->5692 5691 4065a5 5691->5687 5693 4065af 5691->5693 5692->5616 5694 403340 4 API calls 5693->5694 5695 4065bd 5694->5695 5695->5616 5697 403344 5696->5697 5698 4033a5 5696->5698 5699 4031e8 5697->5699 5702 40334c 5697->5702 5704 403254 4 API calls 5699->5704 5706 4031fc 5699->5706 5700 403228 5700->5618 5701 40335b 5703 403254 4 API calls 5701->5703 5702->5698 5702->5701 5705 4031e8 4 API calls 5702->5705 5708 403375 5703->5708 5704->5706 5705->5701 5706->5700 5707 4025ac 4 API calls 5706->5707 5707->5700 5709 4031e8 4 API calls 5708->5709 5710 4033a1 5709->5710 5710->5618 5712 403154 4 API calls 5711->5712 5713 402f29 5712->5713 5985 402bcc 5713->5985 5715 402f51 5715->5715 5717 408c04 4 API calls 5716->5717 5718 408c50 5717->5718 5718->5606 5720 4057b9 5719->5720 5721 405890 5 API calls 5720->5721 5722 4057cb 5721->5722 5722->5722 5724 4095d8 5723->5724 5728 409610 5723->5728 5725 403420 4 API calls 5724->5725 5724->5728 5726 40960a 5725->5726 5750 408cdc 5726->5750 5728->5641 5730 406f8b 5729->5730 5749 406f82 5729->5749 5731 406f94 5730->5731 5732 406fcc 5730->5732 5766 406e8c 5731->5766 5733 406e8c RegOpenKeyExA 5732->5733 5735 406fe5 5733->5735 5737 407002 5735->5737 5738 406e80 6 API calls 5735->5738 5736 406fad 5736->5737 5769 406e80 5736->5769 5739 40322c 4 API calls 5737->5739 5742 406ff9 RegCloseKey 5738->5742 5743 40700f 5739->5743 5741 403198 4 API calls 5745 407044 5741->5745 5742->5737 5772 4032fc 5743->5772 5746 403198 4 API calls 5745->5746 5748 40704c 5746->5748 5748->5642 5749->5741 5751 408cea 5750->5751 5753 408d02 5751->5753 5763 408c74 5751->5763 5754 408c74 4 API calls 5753->5754 5755 408d26 5753->5755 5754->5755 5756 407830 InterlockedExchange 5755->5756 5757 408d3f 5756->5757 5758 408c74 4 API calls 5757->5758 5759 408d52 5757->5759 5758->5759 5760 408c74 4 API calls 5759->5760 5761 403278 4 API calls 5759->5761 5762 408d81 5759->5762 5760->5759 5761->5759 5762->5728 5764 4057e0 4 API calls 5763->5764 5765 408c85 5764->5765 5765->5753 5767 406e97 5766->5767 5768 406e9d RegOpenKeyExA 5766->5768 5767->5768 5768->5736 5786 406d4c 5769->5786 5773 403300 5772->5773 5774 40333f 5772->5774 5775 4031e8 5773->5775 5776 40330a 5773->5776 5774->5749 5779 4031fc 5775->5779 5783 403254 4 API calls 5775->5783 5777 403334 5776->5777 5778 40331d 5776->5778 5782 4034f0 4 API calls 5777->5782 5780 4034f0 4 API calls 5778->5780 5781 403228 5779->5781 5784 4025ac 4 API calls 5779->5784 5785 403322 5780->5785 5781->5749 5782->5785 5783->5779 5784->5781 5785->5749 5787 406d71 RegQueryValueExA 5786->5787 5793 406d91 5787->5793 5802 406db3 5787->5802 5788 403198 4 API calls 5790 406e6c RegCloseKey 5788->5790 5789 406dab 5791 403198 4 API calls 5789->5791 5790->5737 5791->5802 5792 403278 4 API calls 5792->5793 5793->5789 5793->5792 5794 403420 4 API calls 5793->5794 5793->5802 5795 406dd3 RegQueryValueExA 5794->5795 5795->5787 5796 406de8 5795->5796 5796->5802 5803 4034f0 5796->5803 5799 406e42 5800 4031e8 4 API calls 5799->5800 5800->5802 5801 403420 4 API calls 5801->5799 5802->5788 5804 4034fd 5803->5804 5811 40352d 5803->5811 5805 403526 5804->5805 5808 403509 5804->5808 5809 403254 4 API calls 5805->5809 5806 403198 4 API calls 5807 403517 5806->5807 5807->5799 5807->5801 5812 4025c4 5808->5812 5809->5811 5811->5806 5813 4025ca 5812->5813 5814 4025dc 5813->5814 5815 403154 4 API calls 5813->5815 5814->5807 5814->5814 5815->5814 5865 406994 5816->5865 5819 406c62 5821 406994 5 API calls 5819->5821 5823 406cae 5819->5823 5822 406c72 5821->5822 5825 406970 7 API calls 5822->5825 5828 406c7e 5822->5828 5873 4067cc 5823->5873 5825->5828 5828->5823 5829 406994 5 API calls 5828->5829 5835 406ca3 5828->5835 5830 406c97 5829->5830 5833 406970 7 API calls 5830->5833 5830->5835 5831 406594 5 API calls 5832 406cc3 5831->5832 5834 40322c 4 API calls 5832->5834 5833->5835 5836 406ccd 5834->5836 5835->5823 5885 406c04 GetWindowsDirectoryA 5835->5885 5837 4031b8 4 API calls 5836->5837 5838 406ce7 5837->5838 5838->5654 5840 40909c 5839->5840 5841 406594 5 API calls 5840->5841 5842 4090b5 5841->5842 5843 40322c 4 API calls 5842->5843 5844 4090c0 5843->5844 5846 4068b4 6 API calls 5844->5846 5847 4033b4 4 API calls 5844->5847 5848 408c34 4 API calls 5844->5848 5850 4057e0 4 API calls 5844->5850 5851 40913c 5844->5851 5924 409008 5844->5924 5932 408e8c 5844->5932 5846->5844 5847->5844 5848->5844 5850->5844 5852 40322c 4 API calls 5851->5852 5853 409147 5852->5853 5854 4031b8 4 API calls 5853->5854 5855 409161 5854->5855 5856 403198 4 API calls 5855->5856 5857 409169 5856->5857 5857->5654 5859 4050f8 19 API calls 5858->5859 5860 404c02 5859->5860 5860->5654 5862 408c24 5861->5862 5960 408b04 5862->5960 5866 4034f0 4 API calls 5865->5866 5868 4069a7 5866->5868 5867 4069be GetEnvironmentVariableA 5867->5868 5869 4069ca 5867->5869 5868->5867 5872 4069d1 5868->5872 5887 406d28 5868->5887 5871 403198 4 API calls 5869->5871 5871->5872 5872->5819 5882 406970 5872->5882 5874 403414 5873->5874 5875 4067ef GetFullPathNameA 5874->5875 5876 406812 5875->5876 5877 4067fb 5875->5877 5878 40322c 4 API calls 5876->5878 5877->5876 5879 406803 5877->5879 5880 406810 5878->5880 5881 403278 4 API calls 5879->5881 5880->5831 5881->5880 5891 406918 5882->5891 5886 406c25 5885->5886 5886->5823 5888 406d36 5887->5888 5889 4034f0 4 API calls 5888->5889 5890 406d44 5889->5890 5890->5868 5898 4068b4 5891->5898 5893 40693a 5894 406942 GetFileAttributesA 5893->5894 5895 406957 5894->5895 5896 403198 4 API calls 5895->5896 5897 40695f 5896->5897 5897->5819 5908 40668c 5898->5908 5900 4068c5 5901 4068d7 CharPrevA 5900->5901 5902 4068eb 5900->5902 5901->5900 5903 406901 5902->5903 5904 4068f6 5902->5904 5915 403454 5903->5915 5905 40322c 4 API calls 5904->5905 5907 4068ff 5905->5907 5907->5893 5910 40669d 5908->5910 5909 4066fd 5911 4065d8 IsDBCSLeadByte 5909->5911 5913 4066f8 5909->5913 5910->5909 5912 4066b9 5910->5912 5911->5913 5912->5913 5922 4065d8 IsDBCSLeadByte 5912->5922 5913->5900 5916 403486 5915->5916 5917 403459 5915->5917 5918 403198 4 API calls 5916->5918 5917->5916 5919 40346d 5917->5919 5921 40347c 5918->5921 5920 403278 4 API calls 5919->5920 5920->5921 5921->5907 5923 4065ec 5922->5923 5923->5912 5925 403198 4 API calls 5924->5925 5927 409029 5925->5927 5929 409056 5927->5929 5941 4032a8 5927->5941 5944 403494 5927->5944 5930 403198 4 API calls 5929->5930 5931 40906b 5930->5931 5931->5844 5948 408dc8 5932->5948 5934 408ea2 5935 408ea6 5934->5935 5954 406984 5934->5954 5935->5844 5938 408ed9 5957 408e04 5938->5957 5942 403278 4 API calls 5941->5942 5943 4032b5 5942->5943 5943->5927 5945 403498 5944->5945 5946 4034c3 5944->5946 5947 4034f0 4 API calls 5945->5947 5946->5927 5947->5946 5949 408dd2 5948->5949 5950 408dd6 5948->5950 5949->5934 5951 408df8 SetLastError 5950->5951 5952 408ddf Wow64DisableWow64FsRedirection 5950->5952 5953 408df3 5951->5953 5952->5953 5953->5934 5955 406918 7 API calls 5954->5955 5956 40698e GetLastError 5955->5956 5956->5938 5958 408e13 5957->5958 5959 408e09 Wow64RevertWow64FsRedirection 5957->5959 5958->5844 5959->5958 5961 403198 4 API calls 5960->5961 5967 408b35 5960->5967 5961->5967 5962 4031b8 4 API calls 5963 408be5 5962->5963 5963->5654 5964 408b4c 5966 4032fc 4 API calls 5964->5966 5965 403278 4 API calls 5965->5967 5968 408b60 5966->5968 5967->5964 5967->5965 5967->5968 5969 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5967->5969 5968->5962 5969->5967 5971 40668c IsDBCSLeadByte 5970->5971 5973 406779 5971->5973 5972 4067c2 5972->5672 5973->5972 5974 4065d8 IsDBCSLeadByte 5973->5974 5974->5973 5976 406837 5975->5976 5977 406764 IsDBCSLeadByte 5976->5977 5980 406842 5977->5980 5978 406632 5978->5677 5978->5678 5979 4065d8 IsDBCSLeadByte 5979->5980 5980->5978 5980->5979 5982 40689b 5981->5982 5983 40689f 5981->5983 5982->5691 5984 4068a6 CharPrevA 5983->5984 5984->5691 5986 402bd5 RaiseException 5985->5986 5987 402be6 5985->5987 5986->5987 5987->5715 6183 408e76 6184 408e68 6183->6184 6185 408e04 Wow64RevertWow64FsRedirection 6184->6185 6186 408e70 6185->6186 6187 407e78 6188 407ea0 6187->6188 6190 407ea7 6187->6190 6189 407db4 21 API calls 6188->6189 6189->6190 6191 407eda 6190->6191 6193 407ed0 6190->6193 6194 407ece 6190->6194 6192 407f0f 6191->6192 6195 407ccc 19 API calls 6191->6195 6198 403198 4 API calls 6192->6198 6196 407ccc 19 API calls 6193->6196 6197 4050e4 19 API calls 6194->6197 6195->6192 6196->6191 6199 407ef6 6197->6199 6200 407f24 6198->6200 6202 407c54 6199->6202 6203 407c57 6202->6203 6204 40322c 4 API calls 6203->6204 6205 407c79 6204->6205 6206 4032fc 4 API calls 6205->6206 6207 407c83 6206->6207 6208 4057e0 4 API calls 6207->6208 6209 407c92 6208->6209 6210 403198 4 API calls 6209->6210 6211 407cac 6210->6211 6211->6191 6212 408e78 SetLastError 6213 408e81 6212->6213 6648 403f7d 6649 403fa2 6648->6649 6652 403f84 6648->6652 6651 403e8e 4 API calls 6649->6651 6649->6652 6650 403f8c 6651->6652 6652->6650 6653 402674 4 API calls 6652->6653 6654 403fca 6653->6654 6663 403d02 6670 403d12 6663->6670 6664 403ddf ExitProcess 6665 403db8 6667 403cc8 4 API calls 6665->6667 6666 403dea 6668 403dc2 6667->6668 6669 403cc8 4 API calls 6668->6669 6671 403dcc 6669->6671 6670->6664 6670->6665 6670->6666 6670->6670 6673 403da4 6670->6673 6674 403d8f MessageBoxA 6670->6674 6683 4019dc 6671->6683 6679 403fe4 6673->6679 6674->6665 6676 403dd1 6676->6664 6676->6666 6680 403fe8 6679->6680 6681 403f07 4 API calls 6680->6681 6682 404006 6681->6682 6684 401abb 6683->6684 6685 4019ed 6683->6685 6684->6676 6686 401a04 RtlEnterCriticalSection 6685->6686 6687 401a0e LocalFree 6685->6687 6686->6687 6688 401a41 6687->6688 6689 401a2f VirtualFree 6688->6689 6690 401a49 6688->6690 6689->6688 6691 401a70 LocalFree 6690->6691 6692 401a87 6690->6692 6691->6691 6691->6692 6693 401aa9 RtlDeleteCriticalSection 6692->6693 6694 401a9f RtlLeaveCriticalSection 6692->6694 6693->6676 6694->6693 6224 404206 6225 4041cc 6224->6225 6228 40420a 6224->6228 6226 403154 4 API calls 6229 404323 6226->6229 6227 404282 6228->6226 6228->6227 6230 402c08 6231 402c82 6230->6231 6234 402c19 6230->6234 6232 402c56 RtlUnwind 6233 403154 4 API calls 6232->6233 6233->6231 6234->6231 6234->6232 6237 402b28 6234->6237 6238 402b31 RaiseException 6237->6238 6239 402b47 6237->6239 6238->6239 6239->6232 6705 407512 GetFileSize 6706 40753e 6705->6706 6707 40752e GetLastError 6705->6707 6707->6706 6708 407537 6707->6708 6709 4073a4 21 API calls 6708->6709 6709->6706 6240 409e17 6241 409e3c 6240->6241 6242 407830 InterlockedExchange 6241->6242 6243 409e66 6242->6243 6244 409e76 6243->6244 6245 4098b4 4 API calls 6243->6245 6250 4075c4 SetEndOfFile 6244->6250 6245->6244 6247 409e92 6248 4025ac 4 API calls 6247->6248 6249 409ec9 6248->6249 6251 4075d4 6250->6251 6252 4075db 6250->6252 6253 4073a4 21 API calls 6251->6253 6252->6247 6253->6252 6254 403018 6255 403070 6254->6255 6256 403025 6254->6256 6257 40302a RtlUnwind 6256->6257 6259 40304e 6257->6259 6258 402f78 6259->6258 6261 402be8 6259->6261 6262 402bf1 RaiseException 6261->6262 6263 402c04 6261->6263 6262->6263 6263->6255 6710 406f1f 6711 406f2c SetErrorMode 6710->6711 6264 405a24 6265 405a34 6264->6265 6266 405a2c 6264->6266 6267 405a32 6266->6267 6268 405a3b 6266->6268 6271 40599c 6267->6271 6269 405890 5 API calls 6268->6269 6269->6265 6272 4059a4 6271->6272 6273 4059be 6272->6273 6274 403154 4 API calls 6272->6274 6275 4059c3 6273->6275 6276 4059da 6273->6276 6274->6272 6277 405890 5 API calls 6275->6277 6278 403154 4 API calls 6276->6278 6279 4059d6 6277->6279 6280 4059df 6278->6280 6282 403154 4 API calls 6279->6282 6281 405900 19 API calls 6280->6281 6281->6279 6283 405a08 6282->6283 6284 403154 4 API calls 6283->6284 6285 405a16 6284->6285 6285->6265 6286 403a28 ReadFile 6287 403a46 6286->6287 6288 403a49 GetLastError 6286->6288 6716 40972c 6717 409745 6716->6717 6718 40973b 6716->6718 6718->6717 6719 40976a CallWindowProcA 6718->6719 6719->6717 6289 409e32 6290 4098b4 4 API calls 6289->6290 6291 409e37 6290->6291 6292 409e3c 6291->6292 6293 402f24 5 API calls 6291->6293 6294 407830 InterlockedExchange 6292->6294 6293->6292 6295 409e66 6294->6295 6296 409e76 6295->6296 6297 4098b4 4 API calls 6295->6297 6298 4075c4 22 API calls 6296->6298 6297->6296 6299 409e92 6298->6299 6300 4025ac 4 API calls 6299->6300 6301 409ec9 6300->6301 6720 403932 6721 403924 6720->6721 6722 40374c VariantClear 6721->6722 6723 40392c 6722->6723 5988 406f3b 5989 406f2c SetErrorMode 5988->5989 5583 4075c4 SetEndOfFile 5584 4075d4 5583->5584 5585 4075db 5583->5585 5586 4073a4 21 API calls 5584->5586 5586->5585 6308 402ccc 6311 402cfe 6308->6311 6312 402cdd 6308->6312 6309 402d88 RtlUnwind 6310 403154 4 API calls 6309->6310 6310->6311 6312->6309 6312->6311 6313 402b28 RaiseException 6312->6313 6314 402d7f 6313->6314 6314->6309 6724 403fcd 6725 403f07 4 API calls 6724->6725 6726 403fd6 6725->6726 6727 403e9c 4 API calls 6726->6727 6728 403fe2 6727->6728 4868 4024d0 4869 4024e4 4868->4869 4870 4024f7 4868->4870 4907 401918 RtlInitializeCriticalSection 4869->4907 4871 402518 4870->4871 4872 40250e RtlEnterCriticalSection 4870->4872 4884 402300 4871->4884 4872->4871 4876 4024ed 4878 402525 4880 402581 4878->4880 4881 402577 RtlLeaveCriticalSection 4878->4881 4881->4880 4882 402531 4882->4878 4914 40215c 4882->4914 4885 402314 4884->4885 4886 402335 4885->4886 4887 4023b8 4885->4887 4888 402344 4886->4888 4928 401b74 4886->4928 4887->4888 4892 402455 4887->4892 4931 401d80 4887->4931 4939 401e84 4887->4939 4888->4878 4894 401fd4 4888->4894 4892->4888 4935 401d00 4892->4935 4895 401fe8 4894->4895 4896 401ffb 4894->4896 4897 401918 4 API calls 4895->4897 4898 402012 RtlEnterCriticalSection 4896->4898 4901 40201c 4896->4901 4899 401fed 4897->4899 4898->4901 4899->4896 4900 401ff1 4899->4900 4904 402052 4900->4904 4901->4904 5021 401ee0 4901->5021 4904->4882 4905 402147 4905->4882 4906 40213d RtlLeaveCriticalSection 4906->4905 4908 40193c RtlEnterCriticalSection 4907->4908 4909 401946 4907->4909 4908->4909 4910 401964 LocalAlloc 4909->4910 4911 40197e 4910->4911 4912 4019c3 RtlLeaveCriticalSection 4911->4912 4913 4019cd 4911->4913 4912->4913 4913->4870 4913->4876 4915 40217a 4914->4915 4916 402175 4914->4916 4917 4021ab RtlEnterCriticalSection 4915->4917 4920 4021b5 4915->4920 4924 40217e 4915->4924 4918 401918 4 API calls 4916->4918 4917->4920 4918->4915 4919 4021c1 4922 4022e3 RtlLeaveCriticalSection 4919->4922 4923 4022ed 4919->4923 4920->4919 4921 402244 4920->4921 4926 402270 4920->4926 4921->4924 4925 401d80 7 API calls 4921->4925 4922->4923 4923->4878 4924->4878 4925->4924 4926->4919 4927 401d00 7 API calls 4926->4927 4927->4919 4929 40215c 9 API calls 4928->4929 4930 401b95 4929->4930 4930->4888 4932 401d92 4931->4932 4933 401d89 4931->4933 4932->4887 4933->4932 4934 401b74 9 API calls 4933->4934 4934->4932 4936 401d4e 4935->4936 4937 401d1e 4935->4937 4936->4937 4944 401c68 4936->4944 4937->4888 4999 401768 4939->4999 4941 401e99 4942 401ea6 4941->4942 5010 401dcc 4941->5010 4942->4887 4945 401c7a 4944->4945 4946 401c9d 4945->4946 4947 401caf 4945->4947 4957 40188c 4946->4957 4949 40188c 3 API calls 4947->4949 4950 401cad 4949->4950 4951 401cc5 4950->4951 4967 401b44 4950->4967 4951->4937 4953 401cd4 4954 401cee 4953->4954 4972 401b98 4953->4972 4977 4013a0 4954->4977 4958 4018b2 4957->4958 4966 40190b 4957->4966 4981 401658 4958->4981 4963 4018e6 4965 4013a0 LocalAlloc 4963->4965 4963->4966 4965->4966 4966->4950 4968 401b61 4967->4968 4969 401b52 4967->4969 4968->4953 4970 401d00 9 API calls 4969->4970 4971 401b5f 4970->4971 4971->4953 4973 401b9d 4972->4973 4975 401bab 4972->4975 4974 401b74 9 API calls 4973->4974 4976 401baa 4974->4976 4975->4954 4976->4954 4978 4013ab 4977->4978 4979 4013c6 4978->4979 4980 4012e4 LocalAlloc 4978->4980 4979->4951 4980->4979 4983 40168f 4981->4983 4982 4016cf 4985 40132c 4982->4985 4983->4982 4984 4016a9 VirtualFree 4983->4984 4984->4983 4986 401348 4985->4986 4993 4012e4 4986->4993 4989 40150c 4992 40153b 4989->4992 4990 401594 4990->4963 4991 401568 VirtualFree 4991->4992 4992->4990 4992->4991 4996 40128c 4993->4996 4997 401298 LocalAlloc 4996->4997 4998 4012aa 4996->4998 4997->4998 4998->4963 4998->4989 5001 401787 4999->5001 5000 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5000->5001 5001->5000 5002 40183b 5001->5002 5004 40132c LocalAlloc 5001->5004 5005 401821 5001->5005 5006 4017d6 5001->5006 5007 4017e7 5002->5007 5017 4015c4 5002->5017 5004->5001 5008 40150c VirtualFree 5005->5008 5009 40150c VirtualFree 5006->5009 5007->4941 5008->5007 5009->5007 5011 401d80 9 API calls 5010->5011 5012 401de0 5011->5012 5013 40132c LocalAlloc 5012->5013 5014 401df0 5013->5014 5015 401df8 5014->5015 5016 401b44 9 API calls 5014->5016 5015->4942 5016->5015 5018 40160a 5017->5018 5019 401626 VirtualAlloc 5018->5019 5020 40163a 5018->5020 5019->5018 5019->5020 5020->5007 5024 401ef0 5021->5024 5022 401f1c 5023 401d00 9 API calls 5022->5023 5026 401f40 5022->5026 5023->5026 5024->5022 5024->5026 5027 401e58 5024->5027 5026->4905 5026->4906 5032 4016d8 5027->5032 5030 401dcc 9 API calls 5031 401e75 5030->5031 5031->5024 5038 4016f4 5032->5038 5033 4016fe 5035 4015c4 VirtualAlloc 5033->5035 5040 40170a 5035->5040 5036 40175b 5036->5030 5036->5031 5037 40132c LocalAlloc 5037->5038 5038->5033 5038->5036 5038->5037 5039 40174f 5038->5039 5042 401430 5038->5042 5041 40150c VirtualFree 5039->5041 5040->5036 5041->5036 5043 40143f VirtualAlloc 5042->5043 5045 40146c 5043->5045 5046 40148f 5043->5046 5047 4012e4 LocalAlloc 5045->5047 5046->5038 5048 401478 5047->5048 5048->5046 5049 40147c VirtualFree 5048->5049 5049->5046 6315 40a0d0 6324 409448 6315->6324 6318 402f24 5 API calls 6319 40a0da 6318->6319 6320 403198 4 API calls 6319->6320 6321 40a0f9 6320->6321 6322 403198 4 API calls 6321->6322 6323 40a101 6322->6323 6333 4055fc 6324->6333 6326 409463 6327 409491 6326->6327 6339 407130 6326->6339 6330 403198 4 API calls 6327->6330 6329 409481 6332 409489 MessageBoxA 6329->6332 6331 4094a6 6330->6331 6331->6318 6332->6327 6334 403154 4 API calls 6333->6334 6335 405601 6334->6335 6336 405619 6335->6336 6337 403154 4 API calls 6335->6337 6336->6326 6338 40560f 6337->6338 6338->6326 6340 4055fc 4 API calls 6339->6340 6341 40713f 6340->6341 6342 407145 6341->6342 6344 407153 6341->6344 6343 40322c 4 API calls 6342->6343 6345 407151 6343->6345 6346 407163 6344->6346 6347 40716f 6344->6347 6345->6329 6350 4070f4 6346->6350 6357 4032b8 6347->6357 6351 40322c 4 API calls 6350->6351 6353 407103 6351->6353 6352 407120 6352->6345 6353->6352 6354 406894 CharPrevA 6353->6354 6355 40710f 6354->6355 6355->6352 6356 4032fc 4 API calls 6355->6356 6356->6352 6358 403278 4 API calls 6357->6358 6359 4032c2 6358->6359 6359->6345 6360 4028d2 6361 4028da 6360->6361 6362 403554 4 API calls 6361->6362 6363 4028ef 6361->6363 6362->6361 6364 4025ac 4 API calls 6363->6364 6365 4028f4 6364->6365 6729 4019d3 6730 4019ba 6729->6730 6731 4019c3 RtlLeaveCriticalSection 6730->6731 6732 4019cd 6730->6732 6731->6732 6733 4065d4 IsDBCSLeadByte 6734 4065ec 6733->6734 6370 409edb 6371 409f0b 6370->6371 6372 409f15 CreateWindowExA SetWindowLongA 6371->6372 6373 4050e4 19 API calls 6372->6373 6374 409f98 6373->6374 6375 4032fc 4 API calls 6374->6375 6376 409fa6 6375->6376 6377 4032fc 4 API calls 6376->6377 6378 409fb3 6377->6378 6379 406ab8 5 API calls 6378->6379 6380 409fbf 6379->6380 6381 4032fc 4 API calls 6380->6381 6382 409fc8 6381->6382 6383 4097b8 29 API calls 6382->6383 6384 409fda 6383->6384 6385 4095d0 5 API calls 6384->6385 6386 409fed 6384->6386 6385->6386 6387 40a026 6386->6387 6388 409330 9 API calls 6386->6388 6389 40a03f 6387->6389 6393 40a039 RemoveDirectoryA 6387->6393 6388->6387 6390 40a053 6389->6390 6391 40a048 74285CF0 6389->6391 6392 40a07b 6390->6392 6394 40357c 4 API calls 6390->6394 6391->6390 6393->6389 6395 40a071 6394->6395 6396 4025ac 4 API calls 6395->6396 6396->6392 6738 407bdb 6741 407be1 6738->6741 6739 40322c 4 API calls 6740 407c79 6739->6740 6742 4032fc 4 API calls 6740->6742 6741->6739 6743 407c83 6742->6743 6744 4057e0 4 API calls 6743->6744 6745 407c92 6744->6745 6746 403198 4 API calls 6745->6746 6747 407cac 6746->6747 5990 4074dc SetFilePointer 5991 40750f 5990->5991 5992 4074ff GetLastError 5990->5992 5992->5991 5993 407508 5992->5993 5994 4073a4 21 API calls 5993->5994 5994->5991 5050 4075e0 WriteFile 5051 407600 5050->5051 5052 407607 5050->5052 5056 4073a4 GetLastError 5051->5056 5054 407618 5052->5054 5059 407304 5052->5059 5057 407304 20 API calls 5056->5057 5058 4073b5 5057->5058 5058->5052 5068 4071a8 FormatMessageA 5059->5068 5062 40734c 5075 4057e0 5062->5075 5065 40735b 5079 403198 5065->5079 5069 4071ce 5068->5069 5083 403278 5069->5083 5072 4050e4 5110 4050f8 5072->5110 5076 4057e7 5075->5076 5077 4031e8 4 API calls 5076->5077 5078 4057ff 5077->5078 5078->5065 5080 4031b7 5079->5080 5081 40319e 5079->5081 5080->5054 5081->5080 5082 4025ac 4 API calls 5081->5082 5082->5080 5088 403254 5083->5088 5085 403288 5086 403198 4 API calls 5085->5086 5087 4032a0 5086->5087 5087->5062 5087->5072 5089 403274 5088->5089 5090 403258 5088->5090 5089->5085 5093 402594 5090->5093 5092 403261 5092->5085 5094 402598 5093->5094 5095 4025a2 5093->5095 5094->5095 5097 403154 5094->5097 5095->5092 5095->5095 5098 403164 5097->5098 5099 40318c TlsGetValue 5097->5099 5098->5095 5100 403196 5099->5100 5101 40316f 5099->5101 5100->5095 5105 40310c 5101->5105 5103 403174 TlsGetValue 5104 403184 5103->5104 5104->5095 5106 403120 LocalAlloc 5105->5106 5107 403116 5105->5107 5108 40313e TlsSetValue 5106->5108 5109 403132 5106->5109 5107->5106 5108->5109 5109->5103 5111 405115 5110->5111 5118 404da8 5111->5118 5114 405141 5116 403278 4 API calls 5114->5116 5117 4050f3 5116->5117 5117->5062 5121 404dc3 5118->5121 5119 404dd5 5119->5114 5123 404b34 5119->5123 5121->5119 5126 404eca 5121->5126 5133 404d9c 5121->5133 5243 405890 5123->5243 5125 404b45 5125->5114 5127 404edb 5126->5127 5130 404f29 5126->5130 5127->5130 5131 404faf 5127->5131 5129 404f47 5129->5121 5130->5129 5136 404d44 5130->5136 5131->5129 5140 404d88 5131->5140 5134 403198 4 API calls 5133->5134 5135 404da6 5134->5135 5135->5121 5137 404d52 5136->5137 5143 404b4c 5137->5143 5139 404d80 5139->5130 5173 4039a4 5140->5173 5146 405900 5143->5146 5145 404b65 5145->5139 5147 40590e 5146->5147 5156 404c2c LoadStringA 5147->5156 5150 4050e4 19 API calls 5151 405946 5150->5151 5159 4031e8 5151->5159 5157 403278 4 API calls 5156->5157 5158 404c59 5157->5158 5158->5150 5160 4031ec 5159->5160 5163 4031fc 5159->5163 5162 403254 4 API calls 5160->5162 5160->5163 5161 403228 5165 4031b8 5161->5165 5162->5163 5163->5161 5169 4025ac 5163->5169 5167 4031be 5165->5167 5166 4031e3 5166->5145 5167->5166 5168 4025ac 4 API calls 5167->5168 5168->5167 5170 4025b0 5169->5170 5172 4025ba 5169->5172 5171 403154 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5170->5171 5170->5172 5171->5172 5172->5161 5174 4039ab 5173->5174 5179 4038b4 5174->5179 5176 4039cb 5177 403198 4 API calls 5176->5177 5178 4039d2 5177->5178 5178->5129 5180 4038d5 5179->5180 5181 4038c8 5179->5181 5182 403934 5180->5182 5183 4038db 5180->5183 5207 403780 5181->5207 5187 403993 5182->5187 5188 40393b 5182->5188 5185 4038e1 5183->5185 5186 4038ee 5183->5186 5214 403894 5185->5214 5191 403894 6 API calls 5186->5191 5192 4037f4 3 API calls 5187->5192 5193 403941 5188->5193 5194 40394b 5188->5194 5189 4038d0 5189->5176 5196 4038fc 5191->5196 5192->5189 5229 403864 5193->5229 5195 4037f4 3 API calls 5194->5195 5198 40395d 5195->5198 5219 4037f4 5196->5219 5200 403864 9 API calls 5198->5200 5202 403976 5200->5202 5201 403917 5225 40374c 5201->5225 5204 40374c VariantClear 5202->5204 5206 40398b 5204->5206 5205 40392c 5205->5176 5206->5176 5208 4037f0 5207->5208 5209 403744 5207->5209 5208->5189 5209->5207 5210 403793 VariantClear 5209->5210 5211 403198 4 API calls 5209->5211 5212 4037dc VariantCopyInd 5209->5212 5213 4037ab 5209->5213 5210->5209 5211->5209 5212->5208 5212->5209 5213->5189 5234 4036b8 5214->5234 5217 40374c VariantClear 5218 4038a9 5217->5218 5218->5189 5220 403845 VariantChangeTypeEx 5219->5220 5221 40380a VariantChangeTypeEx 5219->5221 5222 403832 5220->5222 5223 403826 5221->5223 5222->5201 5224 40374c VariantClear 5223->5224 5224->5222 5226 403766 5225->5226 5227 403759 5225->5227 5226->5205 5227->5226 5228 403779 VariantClear 5227->5228 5228->5205 5240 40369c SysStringLen 5229->5240 5232 40374c VariantClear 5233 403882 5232->5233 5233->5189 5235 4036cb 5234->5235 5236 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5235->5236 5237 4036db 5235->5237 5238 40372e 5236->5238 5239 4036ed MultiByteToWideChar SysAllocStringLen 5237->5239 5238->5217 5239->5238 5241 403610 7 API calls 5240->5241 5242 4036b3 5241->5242 5242->5232 5244 40589c 5243->5244 5245 404c2c 5 API calls 5244->5245 5246 4058c2 5245->5246 5247 4031e8 4 API calls 5246->5247 5248 4058cd 5247->5248 5249 403198 4 API calls 5248->5249 5250 4058e2 5249->5250 5250->5125 6752 402be9 RaiseException 6753 402c04 6752->6753 5995 409eed 5996 409ef1 5995->5996 6027 409394 GetLastError 5996->6027 5999 409f0b 6001 409f15 CreateWindowExA SetWindowLongA 5999->6001 6000 402f24 5 API calls 6000->5999 6002 4050e4 19 API calls 6001->6002 6003 409f98 6002->6003 6004 4032fc 4 API calls 6003->6004 6005 409fa6 6004->6005 6006 4032fc 4 API calls 6005->6006 6007 409fb3 6006->6007 6040 406ab8 GetCommandLineA 6007->6040 6010 4032fc 4 API calls 6011 409fc8 6010->6011 6045 4097b8 6011->6045 6014 4095d0 5 API calls 6015 409fed 6014->6015 6016 40a026 6015->6016 6017 40a00d 6015->6017 6019 40a03f 6016->6019 6023 40a039 RemoveDirectoryA 6016->6023 6061 409330 6017->6061 6020 40a053 6019->6020 6021 40a048 74285CF0 6019->6021 6022 40a07b 6020->6022 6069 40357c 6020->6069 6021->6020 6023->6019 6025 40a071 6026 4025ac 4 API calls 6025->6026 6026->6022 6028 404be4 19 API calls 6027->6028 6029 4093db 6028->6029 6030 4071a8 5 API calls 6029->6030 6031 4093eb 6030->6031 6032 408c04 4 API calls 6031->6032 6033 409400 6032->6033 6034 4057e0 4 API calls 6033->6034 6035 40940f 6034->6035 6036 4031b8 4 API calls 6035->6036 6037 40942e 6036->6037 6038 403198 4 API calls 6037->6038 6039 409436 6038->6039 6039->5999 6039->6000 6041 406a2c 4 API calls 6040->6041 6042 406add 6041->6042 6043 403198 4 API calls 6042->6043 6044 406afb 6043->6044 6044->6010 6046 4033b4 4 API calls 6045->6046 6047 4097f3 6046->6047 6048 409825 CreateProcessA 6047->6048 6049 409831 6048->6049 6050 409838 CloseHandle 6048->6050 6051 409394 21 API calls 6049->6051 6052 409841 6050->6052 6051->6050 6082 40978c 6052->6082 6055 40985d 6056 40978c 3 API calls 6055->6056 6057 409862 GetExitCodeProcess CloseHandle 6056->6057 6058 409882 6057->6058 6059 403198 4 API calls 6058->6059 6060 40988a 6059->6060 6060->6014 6060->6015 6062 40938a 6061->6062 6064 409343 6061->6064 6062->6016 6063 40934b Sleep 6063->6064 6064->6062 6064->6063 6065 40935b Sleep 6064->6065 6067 409372 GetLastError 6064->6067 6086 408e14 6064->6086 6065->6064 6067->6062 6068 40937c GetLastError 6067->6068 6068->6062 6068->6064 6070 403591 6069->6070 6071 4035a0 6069->6071 6074 4035b6 6070->6074 6075 4035d0 6070->6075 6076 40359b 6070->6076 6072 4035b1 6071->6072 6073 4035b8 6071->6073 6077 403198 4 API calls 6072->6077 6078 4031b8 4 API calls 6073->6078 6074->6025 6075->6074 6079 40357c 4 API calls 6075->6079 6076->6071 6081 4035ec 6076->6081 6077->6074 6078->6074 6079->6075 6081->6074 6094 403554 6081->6094 6083 4097a0 PeekMessageA 6082->6083 6084 4097b2 MsgWaitForMultipleObjects 6083->6084 6085 409794 TranslateMessage DispatchMessageA 6083->6085 6084->6052 6084->6055 6085->6083 6087 408dc8 2 API calls 6086->6087 6088 408e2a 6087->6088 6089 408e2e 6088->6089 6090 408e4a DeleteFileA GetLastError 6088->6090 6089->6064 6091 408e68 6090->6091 6092 408e04 Wow64RevertWow64FsRedirection 6091->6092 6093 408e70 6092->6093 6093->6064 6096 403566 6094->6096 6097 403578 6096->6097 6098 403604 6096->6098 6097->6081 6099 40357c 6098->6099 6100 4035a0 6099->6100 6103 40359b 6099->6103 6106 4035b6 6099->6106 6107 4035d0 6099->6107 6101 4035b1 6100->6101 6102 4035b8 6100->6102 6104 403198 4 API calls 6101->6104 6105 4031b8 4 API calls 6102->6105 6103->6100 6109 4035ec 6103->6109 6104->6106 6105->6106 6106->6096 6107->6106 6108 40357c 4 API calls 6107->6108 6108->6107 6109->6106 6110 403554 4 API calls 6109->6110 6110->6109 6411 402af2 6412 402afe 6411->6412 6415 402ed0 6412->6415 6416 403154 4 API calls 6415->6416 6418 402ee0 6416->6418 6417 402b03 6418->6417 6420 402b0c 6418->6420 6421 402b25 6420->6421 6422 402b15 RaiseException 6420->6422 6421->6417 6422->6421 6423 405af2 6425 405af4 6423->6425 6424 405b30 6428 405890 5 API calls 6424->6428 6425->6424 6426 405b47 6425->6426 6427 405b2a 6425->6427 6432 404c2c 5 API calls 6426->6432 6427->6424 6429 405b9c 6427->6429 6430 405b43 6428->6430 6431 405900 19 API calls 6429->6431 6434 403198 4 API calls 6430->6434 6431->6430 6433 405b70 6432->6433 6436 405900 19 API calls 6433->6436 6435 405bd6 6434->6435 6436->6430 6758 402dfa 6759 402e0d 6758->6759 6761 402e26 6758->6761 6762 402ba4 6759->6762 6763 402bc9 6762->6763 6764 402bad 6762->6764 6763->6761 6765 402bb5 RaiseException 6764->6765 6765->6763 6455 403a80 CloseHandle 6456 403a90 6455->6456 6457 403a91 GetLastError 6455->6457 6462 404283 6463 4042c3 6462->6463 6464 403154 4 API calls 6463->6464 6465 404323 6464->6465 6770 404185 6771 4041ff 6770->6771 6772 403154 4 API calls 6771->6772 6773 4041cc 6771->6773 6774 404323 6772->6774 6470 403e87 6471 403e4c 6470->6471 6472 403e67 6471->6472 6473 403e62 6471->6473 6474 403e7b 6471->6474 6477 403e78 6472->6477 6483 402674 6472->6483 6479 403cc8 6473->6479 6476 402674 4 API calls 6474->6476 6476->6477 6480 403cd6 6479->6480 6481 403ceb 6480->6481 6482 402674 4 API calls 6480->6482 6481->6472 6482->6481 6484 403154 4 API calls 6483->6484 6485 40267a 6484->6485 6485->6477 6486 40a088 6488 409ffa 6486->6488 6487 40a026 6490 40a03f 6487->6490 6493 40a039 RemoveDirectoryA 6487->6493 6488->6487 6489 409330 9 API calls 6488->6489 6489->6487 6491 40a053 6490->6491 6492 40a048 74285CF0 6490->6492 6494 40357c 4 API calls 6491->6494 6497 40a07b 6491->6497 6492->6491 6493->6490 6495 40a071 6494->6495 6496 4025ac 4 API calls 6495->6496 6496->6497 6779 408d88 6782 408c58 6779->6782 6783 408c61 6782->6783 6784 403198 4 API calls 6783->6784 6785 408c6f 6783->6785 6784->6783 6498 40a08d 6499 40a096 6498->6499 6501 40a0c1 6498->6501 6508 4092a0 6499->6508 6502 403198 4 API calls 6501->6502 6504 40a0f9 6502->6504 6503 40a09b 6503->6501 6505 40a0b9 MessageBoxA 6503->6505 6506 403198 4 API calls 6504->6506 6505->6501 6507 40a101 6506->6507 6509 409307 ExitWindowsEx 6508->6509 6510 4092ac GetCurrentProcess OpenProcessToken 6508->6510 6511 4092be 6509->6511 6510->6511 6512 4092c2 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6510->6512 6511->6503 6512->6509 6512->6511 6517 408a92 6518 408a9b 6517->6518 6519 403198 4 API calls 6518->6519 6527 408b35 6519->6527 6520 408b60 6521 4031b8 4 API calls 6520->6521 6522 408be5 6521->6522 6523 408b4c 6526 4032fc 4 API calls 6523->6526 6524 403278 4 API calls 6524->6527 6525 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6525->6527 6526->6520 6527->6520 6527->6523 6527->6524 6527->6525 6528 403e95 6529 403e4c 6528->6529 6530 403e62 6529->6530 6531 403e7b 6529->6531 6534 403e67 6529->6534 6532 403cc8 4 API calls 6530->6532 6533 402674 4 API calls 6531->6533 6532->6534 6535 403e78 6533->6535 6534->6535 6536 402674 4 API calls 6534->6536 6536->6535 6537 403a97 6538 403aac 6537->6538 6539 403bbc GetStdHandle 6538->6539 6540 403b0e CreateFileA 6538->6540 6550 403ab2 6538->6550 6541 403c17 GetLastError 6539->6541 6545 403bba 6539->6545 6540->6541 6542 403b2c 6540->6542 6541->6550 6544 403b3b GetFileSize 6542->6544 6542->6545 6544->6541 6546 403b4e SetFilePointer 6544->6546 6547 403be7 GetFileType 6545->6547 6545->6550 6546->6541 6551 403b6a ReadFile 6546->6551 6549 403c02 CloseHandle 6547->6549 6547->6550 6549->6550 6551->6541 6552 403b8c 6551->6552 6552->6545 6553 403b9f SetFilePointer 6552->6553 6553->6541 6554 403bb0 SetEndOfFile 6553->6554 6554->6541 6554->6545 6798 4011aa 6799 4011ac GetStdHandle 6798->6799 6562 4028ac 6563 402594 4 API calls 6562->6563 6564 4028b6 6563->6564 6569 4050b0 6570 4050c3 6569->6570 6571 404da8 19 API calls 6570->6571 6572 4050d7 6571->6572 6577 401ab9 6578 401a96 6577->6578 6579 401aa9 RtlDeleteCriticalSection 6578->6579 6580 401a9f RtlLeaveCriticalSection 6578->6580 6580->6579

                                                                                  Executed Functions

                                                                                  Function 00409944 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 109 409944-409968 GetSystemInfo VirtualQuery 110 4099f8-4099ff 109->110 111 40996e 109->111 112 4099ed-4099f2 111->112 112->110 113 409970-409977 112->113 114 4099d9-4099eb VirtualQuery 113->114 115 409979-40997d 113->115 114->110 114->112 115->114 116 40997f-409987 115->116 117 409998-4099a9 VirtualProtect 116->117 118 409989-40998c 116->118 120 4099ab 117->120 121 4099ad-4099af 117->121 118->117 119 40998e-409991 118->119 119->117 122 409993-409996 119->122 120->121 123 4099be-4099c1 121->123 122->117 122->121 124 4099b1-4099ba call 40993c 123->124 125 4099c3-4099c5 123->125 124->123 125->114 127 4099c7-4099d4 VirtualProtect 125->127 127->114
                                                                                  APIs
                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00409956
                                                                                  • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409961
                                                                                  • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004099A2
                                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004099D4
                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 004099E4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                  • String ID:
                                                                                  • API String ID: 2441996862-0
                                                                                  • Opcode ID: 5705ee394a72ddd399e4027cfb053887e63c693988ca45339c41590f720f2ccb
                                                                                  • Instruction ID: a6a75d5afacf98dda07d650d9392f85e94a9260a8e81f76dcb0e561c1d323dc9
                                                                                  • Opcode Fuzzy Hash: 5705ee394a72ddd399e4027cfb053887e63c693988ca45339c41590f720f2ccb
                                                                                  • Instruction Fuzzy Hash: BE21A1F12003006BD630AA598C85E5BB3D8DB46350F08492FFA86E23C3D739ED40C659
                                                                                  Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                                  • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                                                                  • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                                  • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                                                                  Function 00408EFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A83), ref: 00408F1C
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F22
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A83), ref: 00408F36
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F3C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                  • API String ID: 1646373207-2130885113
                                                                                  • Opcode ID: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                                                                  • Instruction ID: ef4badd54955bda93fd7c631ce084268f05c1d5093e10ec72b10b69b713a5d4b
                                                                                  • Opcode Fuzzy Hash: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                                                                  • Instruction Fuzzy Hash: D701F770108301EEE700BB72DE57B163A59D745718F60443FF248761C2CE7C4904CA2D
                                                                                  Function 00409EED Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F37
                                                                                  • SetWindowLongA.USER32(0001043E,000000FC,0040972C), ref: 00409F4E
                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A03A
                                                                                  • 74285CF0.USER32(0001043E,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A04E
                                                                                    • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,02292EFC), ref: 004093B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$74285CreateDirectoryErrorLastLongRemove
                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                  • API String ID: 158254820-3001827809
                                                                                  • Opcode ID: 356ba627585c3b8aeb63b7ec6763bf964542e42b5da9ee7fb4b831b47c6476ae
                                                                                  • Instruction ID: b0b7cb5c84c11a902aa92c151bc7a473584df1d8a174dbb0272dab9361f09c30
                                                                                  • Opcode Fuzzy Hash: 356ba627585c3b8aeb63b7ec6763bf964542e42b5da9ee7fb4b831b47c6476ae
                                                                                  • Instruction Fuzzy Hash: ED414170A00205DBC715EBA9EE85B9E7BA5EF44304F10427BF550B72E2DB789801CB9D
                                                                                  Function 00409EDB Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F37
                                                                                  • SetWindowLongA.USER32(0001043E,000000FC,0040972C), ref: 00409F4E
                                                                                    • Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FBF,?), ref: 00406AD0
                                                                                    • Part of subcall function 004097B8: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4,00000000,0040988B), ref: 00409828
                                                                                    • Part of subcall function 004097B8: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4,00000000), ref: 0040983C
                                                                                    • Part of subcall function 004097B8: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409855
                                                                                    • Part of subcall function 004097B8: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409867
                                                                                    • Part of subcall function 004097B8: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4), ref: 00409870
                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A03A
                                                                                  • 74285CF0.USER32(0001043E,0040A08D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A04E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateHandleProcessWindow$74285CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                  • API String ID: 2264470932-3001827809
                                                                                  • Opcode ID: 8adb2276f24502cdda7e1e25f51ffccaae98d0a235ff27fffbb48544401fc469
                                                                                  • Instruction ID: f1d2162e6052a88f2f310f1910c468c6413901ad883113d8bc6822bbadce307d
                                                                                  • Opcode Fuzzy Hash: 8adb2276f24502cdda7e1e25f51ffccaae98d0a235ff27fffbb48544401fc469
                                                                                  • Instruction Fuzzy Hash: B7411C70A00205DFD715EBA9EE85B9A7BA5EB88304F10427BF510B72E2DB789801CB5D
                                                                                  Function 004097B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4,00000000,0040988B), ref: 00409828
                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4,00000000), ref: 0040983C
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409855
                                                                                  • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409867
                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B0,02292EFC,004098A4), ref: 00409870
                                                                                    • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,02292EFC), ref: 004093B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                  • String ID: D
                                                                                  • API String ID: 3356880605-2746444292
                                                                                  • Opcode ID: 3ff481d983818b20dfc2cef53ba7a084528a695c42936f0cbd91dc6a76799fc6
                                                                                  • Instruction ID: d6342c5014be746473ae4a73a07d94ec33375df439d205700b32e47ef222c3c9
                                                                                  • Opcode Fuzzy Hash: 3ff481d983818b20dfc2cef53ba7a084528a695c42936f0cbd91dc6a76799fc6
                                                                                  • Instruction Fuzzy Hash: 381160B16102086EDB00FBE68C52F9EB7ACEF49714F50413ABA14F72C7DA785D008668
                                                                                  Function 00409188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091CE
                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091D7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                  • String ID: .tmp
                                                                                  • API String ID: 1375471231-2986845003
                                                                                  • Opcode ID: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                                                                  • Instruction ID: b3c939f821d6d3b02d73a6ffc60c10d65ff6e2c1a1ef0f9f166dc2fc0ea9728e
                                                                                  • Opcode Fuzzy Hash: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                                                                  • Instruction Fuzzy Hash: 16214774A00209ABDB01EFA1C9429DFB7B9EB88304F50457FE501B73C2DA7C9E058BA5
                                                                                  Function 00409C4D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CB1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message
                                                                                  • String ID: .tmp
                                                                                  • API String ID: 2030045667-2986845003
                                                                                  • Opcode ID: 0f82f1c4d759405840efd70fc318bbeb2c43fc543230e63a2822dd9ae4ce5900
                                                                                  • Instruction ID: 241aa51b6908f2d1dddb6a0cd00689432b616bf1cdbe7f50cfb4de551c7d1b4f
                                                                                  • Opcode Fuzzy Hash: 0f82f1c4d759405840efd70fc318bbeb2c43fc543230e63a2822dd9ae4ce5900
                                                                                  • Instruction Fuzzy Hash: 2541E170604201DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D
                                                                                  Function 00409C68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CB1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message
                                                                                  • String ID: .tmp
                                                                                  • API String ID: 2030045667-2986845003
                                                                                  • Opcode ID: 9303481059f97bee54f9b04abf88518633238788d527aa2b880329f942cd8582
                                                                                  • Instruction ID: 6703d18eb847d6b61cc42f6542934489f35641dfe9846f309c432ed6b1daf27a
                                                                                  • Opcode Fuzzy Hash: 9303481059f97bee54f9b04abf88518633238788d527aa2b880329f942cd8582
                                                                                  • Instruction Fuzzy Hash: 7341C170600205DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D
                                                                                  Function 00406EC4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 254 406ec4-406f17 SetErrorMode call 403414 LoadLibraryA
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 00406ECE
                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00406F18,?,00000000,00406F36,?,00008000), ref: 00406EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                  • String ID:
                                                                                  • API String ID: 2987862817-0
                                                                                  • Opcode ID: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                                                                  • Instruction ID: 5e20ffdb52ff7e8261d23daca573ea8644dcd49689b218f11c6781c5bce8f48d
                                                                                  • Opcode Fuzzy Hash: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                                                                  • Instruction Fuzzy Hash: D7F089705147047EDB119F769C6241ABBECD749B047534875F910A26D2E53C4C208568
                                                                                  Function 00407544 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 258 407544-407562 ReadFile 259 407564-407568 258->259 260 40757b-407582 258->260 261 407574-407576 call 4073a4 259->261 262 40756a-407572 GetLastError 259->262 261->260 262->260 262->261
                                                                                  APIs
                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040755B
                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040756A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastRead
                                                                                  • String ID:
                                                                                  • API String ID: 1948546556-0
                                                                                  • Opcode ID: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                                                                  • Instruction ID: 34e576fd7e6559e3ef6c853e67441063c40c11266019ec046b6cc2e4d5471cd5
                                                                                  • Opcode Fuzzy Hash: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                                                                  • Instruction Fuzzy Hash: ABE06DA1A081507AEB20965AAC85FAB66DC8BC5314F04417BF904DB282C678DC00C27A
                                                                                  Function 00407584 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 264 407584-4075a9 SetFilePointer 265 4075bb-4075c0 264->265 266 4075ab-4075b2 GetLastError 264->266 266->265 267 4075b4-4075b6 call 4073a4 266->267 267->265
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075A3
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075AB
                                                                                    • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,022903AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 1156039329-0
                                                                                  • Opcode ID: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                                                                  • Instruction ID: 1215520e40270bbf1c42edbfe5ddbfad2f0444ede1f1e4d22e24bec04403dad1
                                                                                  • Opcode Fuzzy Hash: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                                                                  • Instruction Fuzzy Hash: 6FE092B66081006BD700D55DC881A9B33DCDFC5364F044136BA54EB2C1D6B5EC008376
                                                                                  Function 004074DC Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 269 4074dc-4074fd SetFilePointer 270 40750f-407511 269->270 271 4074ff-407506 GetLastError 269->271 271->270 272 407508-40750a call 4073a4 271->272 272->270
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004074F3
                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004074FF
                                                                                    • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,022903AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 1156039329-0
                                                                                  • Opcode ID: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                                                                  • Instruction ID: 3a188f8a391a656106576682ef5fc0e36605e971047c99b326a67709d18e7f8b
                                                                                  • Opcode Fuzzy Hash: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                                                                  • Instruction Fuzzy Hash: B4E04FB1600210AFEB20EEB98981B9272D89F44364F0485B6EA14DF2C6D274DC00C766
                                                                                  Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 332 401430-40143d 333 401446-40144c 332->333 334 40143f-401444 332->334 335 401452-40146a VirtualAlloc 333->335 334->335 336 40146c-40147a call 4012e4 335->336 337 40148f-401492 335->337 336->337 340 40147c-40148d VirtualFree 336->340 340->337
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocFree
                                                                                  • String ID:
                                                                                  • API String ID: 2087232378-0
                                                                                  • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                  • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                  • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                  • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                  Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                                                    • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                                                    • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1658689577-0
                                                                                  • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                                  • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                                                                  • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                                  • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                                                                  Function 004068B4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CharPrev
                                                                                  • String ID:
                                                                                  • API String ID: 122130370-0
                                                                                  • Opcode ID: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                                                                  • Instruction ID: 028ce23b60034aad2079abf39c8673be77ca980571763ae766079fdae63e366f
                                                                                  • Opcode Fuzzy Hash: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                                                                  • Instruction Fuzzy Hash: 59F0BE523019341BC6117A7F18815AFA7888B86709752417FF506FB382DE3EAE6352AE
                                                                                  Function 0040748E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                                                                  • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                  • Opcode Fuzzy Hash: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                                                                  • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                  Function 00407490 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                                                                  • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                  • Opcode Fuzzy Hash: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                                                                  • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                  Function 00406918 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004068B4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00406960,?,?,?,?,00000000,?,00406975,00406CA3,00000000,00406CE8,?,?,?), ref: 00406943
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesCharFilePrev
                                                                                  • String ID:
                                                                                  • API String ID: 4082512850-0
                                                                                  • Opcode ID: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                                                                  • Instruction ID: 89044d1ea86e4fdb03922753e0a58770fdf95516ab6f2bcb8662fa4781c06fed
                                                                                  • Opcode Fuzzy Hash: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                                                                  • Instruction Fuzzy Hash: 04E09B713043047FD701EFB2DD53E59B7ECD789704B524476B501F7682D5785E108468
                                                                                  Function 004075E0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004075F7
                                                                                    • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,022903AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastWrite
                                                                                  • String ID:
                                                                                  • API String ID: 442123175-0
                                                                                  • Opcode ID: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                                                                  • Instruction ID: cd18fb99e22355188e9d2f817127a110343b64b119c62ac1cd4bac3fbb067e43
                                                                                  • Opcode Fuzzy Hash: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                                                                  • Instruction Fuzzy Hash: 66E06D726081106BEB10A65ED880E6B67DCCFC6364F04447BBA04EB241C575AC0096B6
                                                                                  Function 004071A8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408F7F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95), ref: 004071C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1306739567-0
                                                                                  • Opcode ID: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                                                                  • Instruction ID: 5be2c53bb0bc0b7205463fa080de9070734fc39b970025fcf129f6524892d52e
                                                                                  • Opcode Fuzzy Hash: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                                                                  • Instruction Fuzzy Hash: F8E0D8B179830135F22500A44C87B76160E4780700F20403A3B10EE3D2D9BEA50A415F
                                                                                  Function 004075C4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEndOfFile.KERNEL32(?,022B4000,00409E92,00000000), ref: 004075CB
                                                                                    • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,022903AC,?,00409ADD,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 004073A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLast
                                                                                  • String ID:
                                                                                  • API String ID: 734332943-0
                                                                                  • Opcode ID: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                                                                  • Instruction ID: 3dced8f94abca6fd64a7c9696b134c452ef52fe1396460a469a389ba9e9200de
                                                                                  • Opcode Fuzzy Hash: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                                                                  • Instruction Fuzzy Hash: 78C04CA160410057DB50A7BE8AC2A0672D85F5820430441B6B908DB287D678EC009615
                                                                                  Function 00406F1F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                                                                  • Instruction ID: f94a5d2238f2ee5303b4d558b5d93000027bb0092eeb8c65c9d9a83f01a259cd
                                                                                  • Opcode Fuzzy Hash: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                                                                  • Instruction Fuzzy Hash: A4B09BB661C2015DE705DAD5745153863D4D7C47103E14577F114D25C0D53C94154518
                                                                                  Function 00406F3B Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                                                                  • Instruction ID: 8ce709a7dcc0858879a49907ae7d49f16bd3fabbd46d8b550b3201db24fc95e8
                                                                                  • Opcode Fuzzy Hash: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                                                                  • Instruction Fuzzy Hash: 46A022B8C00003B2CE80E2F08080A3C23282A883003C00AA2320EB2080C23EC0000A0A
                                                                                  Function 00407DB4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E44
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                                                                  • Instruction ID: e346e479d4e19dc6fbf4ec70e04c611644565a823529d475df5ed673f567dbda
                                                                                  • Opcode Fuzzy Hash: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                                                                  • Instruction Fuzzy Hash: 521172716082059BDB10FF19C881B5B3794AF84359F04847AF958AB3C6DA38EC008B6B
                                                                                  Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1263568516-0
                                                                                  • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                  • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                  • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                  • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                  Function 00407460 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                                                                  • Instruction ID: 0a303eee8e17872e34e3f08f3f74197a254d67d3e0467507f6d8b9a4d6bdce8a
                                                                                  • Opcode Fuzzy Hash: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                                                                  • Instruction Fuzzy Hash: 9FD0A7C1B00A6017D315F6BF498865B96C85F88685F08843BF684E73D1D67CAC00C3CD
                                                                                  Function 00407D5C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E3A), ref: 00407D73
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1263568516-0
                                                                                  • Opcode ID: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                                                                  • Instruction ID: 987a95dec6bedafdacc6f30d71d69a0298e18a8a9a30f6cccb61f0e346f0d057
                                                                                  • Opcode Fuzzy Hash: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                                                                  • Instruction Fuzzy Hash: 6FD0E9B17557045BDB90EEB94CC1B1237D97F48600F5044B66904EB296E674E800D614

                                                                                  Non-executed Functions

                                                                                  Function 004092A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 004092AF
                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004092B5
                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004092CE
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092F5
                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092FA
                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 0040930B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                  • String ID: SeShutdownPrivilege
                                                                                  • API String ID: 107509674-3733053543
                                                                                  • Opcode ID: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                                                                  • Instruction ID: 46e638963846eb8b1a8eef1e5041d40b59806408d3aca7422040dec9ba119927
                                                                                  • Opcode Fuzzy Hash: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                                                                  • Instruction Fuzzy Hash: 3FF012B079430276E620AAB58D07F6B62885BC5B48F50493EBA51FA1D3D7BCD8044A6E
                                                                                  Function 00409A00 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409A0A
                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB,?,00000000,0040A102), ref: 00409A1D
                                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB,?,00000000), ref: 00409A2F
                                                                                  • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409AF5,00000000,0040A083,?,00000001,00000000,00000002,00000000,0040A0CB), ref: 00409A40
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                  • String ID:
                                                                                  • API String ID: 3473537107-0
                                                                                  • Opcode ID: 58fc42bb53a486e047bd3b1a9e6cb875a544f9bb80df9a72ae90c90d8efe33fe
                                                                                  • Instruction ID: ae0cc58948cf96eec5457f4820dc726c6d2182020e22fda74881949f5e0d997e
                                                                                  • Opcode Fuzzy Hash: 58fc42bb53a486e047bd3b1a9e6cb875a544f9bb80df9a72ae90c90d8efe33fe
                                                                                  • Instruction Fuzzy Hash: FAE07E9176538225FA6036FB08C3B2E010C4BA675DF04503BBB04792D3EEBC8C04452E
                                                                                  Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                                  • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                                                                  • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                                  • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                                                                  Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: SystemTime
                                                                                  • String ID:
                                                                                  • API String ID: 2656138-0
                                                                                  • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                  • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                  • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                  • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                  Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409A74), ref: 00405C52
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Version
                                                                                  • String ID:
                                                                                  • API String ID: 1889659487-0
                                                                                  • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                                  • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                                                                  • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                                  • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                                                                  Function 004082E8 Relevance: .5, Instructions: 545COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                  • Instruction ID: bf64fe3dbf7489daa5b396f442bfdc43c732794851cc1dd68f6a4bedb61b4a1f
                                                                                  • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                  • Instruction Fuzzy Hash: 7F32E875E00219DFCB14CF99CA80A9DB7B2BF88314F24816AD855B7395DB34AE42CF54
                                                                                  Function 00406F48 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406F71
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406F77
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406FC5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                  • API String ID: 4190037839-2401316094
                                                                                  • Opcode ID: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                                                                  • Instruction ID: 82a514a35929d101a3f87db01d263b67a2005a07a92a8f1bbb0e3c876c3699bd
                                                                                  • Opcode Fuzzy Hash: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                                                                  • Instruction Fuzzy Hash: F3214130E44209AFDB10EAA1CC56B9F77B8AB44304F60857BA605F72C1D77CAA05C79E
                                                                                  Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                  • String ID:
                                                                                  • API String ID: 1694776339-0
                                                                                  • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                  • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                  • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                  • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                  Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                                                    • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                    • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                  • API String ID: 1044490935-665933166
                                                                                  • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                                  • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                                                                  • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                                  • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                                                                  Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                  • LocalFree.KERNEL32(004C0378,00000000,00401AB4), ref: 00401A1B
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,004C0378,00000000,00401AB4), ref: 00401A3A
                                                                                  • LocalFree.KERNEL32(004C1378,?,00000000,00008000,004C0378,00000000,00401AB4), ref: 00401A79
                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                  • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3782394904-0
                                                                                  • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                  • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                  • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                  • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                  Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                  • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExitMessageProcess
                                                                                  • String ID: Error$Runtime error at 00000000$9@
                                                                                  • API String ID: 1220098344-1503883590
                                                                                  • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                  • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                  • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                  • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                  Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                  • String ID:
                                                                                  • API String ID: 262959230-0
                                                                                  • Opcode ID: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                                                                  • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                  • Opcode Fuzzy Hash: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                                                                  • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                  Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00409A6A), ref: 004030E3
                                                                                  • GetCommandLineA.KERNEL32(00000000,00409A6A), ref: 004030EE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CommandHandleLineModule
                                                                                  • String ID: U1hd.@$'J
                                                                                  • API String ID: 2123368496-3727854730
                                                                                  • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                  • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                  • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                  • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                  Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                  • String ID:
                                                                                  • API String ID: 730355536-0
                                                                                  • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                  • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                  • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                  • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                  Function 00409330 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040934F
                                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040935F
                                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 00409372
                                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A026,000000FA,00000032,0040A08D), ref: 0040937C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2599521622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2599459279.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599561719.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2599597729.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastSleep
                                                                                  • String ID:
                                                                                  • API String ID: 1458359878-0
                                                                                  • Opcode ID: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                                                                  • Instruction ID: e54841d902c556b0a825a3a9b48dc11fcb5fd53647a295a33fe7abc41a02d5de
                                                                                  • Opcode Fuzzy Hash: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                                                                  • Instruction Fuzzy Hash: C6F0B472A0031497CB34A5EF9986A6F628DEADA768710403BFD04F73C3D538DD014AAD

                                                                                  Execution Graph

                                                                                  Execution Coverage:16.2%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:5.7%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:51
                                                                                  execution_graph 52740 440a24 52741 440a2d 52740->52741 52742 440a3b WriteFile 52740->52742 52741->52742 52743 440a46 52742->52743 47437 402584 47438 402598 47437->47438 47439 4025ab 47437->47439 47467 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47438->47467 47441 4025c2 RtlEnterCriticalSection 47439->47441 47442 4025cc 47439->47442 47441->47442 47453 4023b4 13 API calls 47442->47453 47443 40259d 47443->47439 47445 4025a1 47443->47445 47446 4025d5 47448 4025d9 47446->47448 47454 402088 47446->47454 47449 402635 47448->47449 47450 40262b RtlLeaveCriticalSection 47448->47450 47450->47449 47451 4025e5 47451->47448 47468 402210 9 API calls 47451->47468 47453->47446 47455 40209c 47454->47455 47456 4020af 47454->47456 47475 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47455->47475 47458 4020c6 RtlEnterCriticalSection 47456->47458 47461 4020d0 47456->47461 47458->47461 47459 4020a1 47459->47456 47460 4020a5 47459->47460 47464 402106 47460->47464 47461->47464 47469 401f94 47461->47469 47464->47451 47465 4021f1 RtlLeaveCriticalSection 47466 4021fb 47465->47466 47466->47451 47467->47443 47468->47448 47472 401fa4 47469->47472 47470 401fd0 47474 401ff4 47470->47474 47481 401db4 47470->47481 47472->47470 47472->47474 47476 401f0c 47472->47476 47474->47465 47474->47466 47475->47459 47485 40178c 47476->47485 47479 401f29 47479->47472 47482 401e02 47481->47482 47483 401dd2 47481->47483 47482->47483 47508 401d1c 47482->47508 47483->47474 47486 4017a8 47485->47486 47487 4017b2 47486->47487 47490 40180f 47486->47490 47492 401803 47486->47492 47496 4014e4 47486->47496 47505 4013e0 LocalAlloc 47486->47505 47504 401678 VirtualAlloc 47487->47504 47490->47479 47495 401e80 9 API calls 47490->47495 47506 4015c0 VirtualFree 47492->47506 47493 4017be 47493->47490 47495->47479 47497 4014f3 VirtualAlloc 47496->47497 47499 401520 47497->47499 47500 401543 47497->47500 47507 401398 LocalAlloc 47499->47507 47500->47486 47502 40152c 47502->47500 47503 401530 VirtualFree 47502->47503 47503->47500 47504->47493 47505->47486 47506->47490 47507->47502 47509 401d2e 47508->47509 47510 401d51 47509->47510 47511 401d63 47509->47511 47521 401940 47510->47521 47513 401940 3 API calls 47511->47513 47514 401d61 47513->47514 47515 401d79 47514->47515 47531 401bf8 9 API calls 47514->47531 47515->47483 47517 401d88 47518 401da2 47517->47518 47532 401c4c 9 API calls 47517->47532 47533 401454 LocalAlloc 47518->47533 47522 4019bf 47521->47522 47523 401966 47521->47523 47522->47514 47534 40170c 47523->47534 47527 401983 47528 40199a 47527->47528 47539 4015c0 VirtualFree 47527->47539 47528->47522 47540 401454 LocalAlloc 47528->47540 47531->47517 47532->47518 47533->47515 47536 401743 47534->47536 47535 401783 47538 4013e0 LocalAlloc 47535->47538 47536->47535 47537 40175d VirtualFree 47536->47537 47537->47536 47538->47527 47539->47528 47540->47522 52744 488b2c 52745 488b66 52744->52745 52746 488b68 52745->52746 52747 488b72 52745->52747 52943 409028 MessageBeep 52746->52943 52749 488baa 52747->52749 52750 488b81 52747->52750 52757 488bb9 52749->52757 52758 488be2 52749->52758 52752 446668 18 API calls 52750->52752 52751 403420 4 API calls 52753 4891be 52751->52753 52754 488b8e 52752->52754 52755 403400 4 API calls 52753->52755 52944 406b40 52754->52944 52759 4891c6 52755->52759 52761 446668 18 API calls 52757->52761 52764 488c1a 52758->52764 52765 488bf1 52758->52765 52763 488bc6 52761->52763 52952 406b90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52763->52952 52771 488c29 52764->52771 52772 488c42 52764->52772 52768 446668 18 API calls 52765->52768 52767 488bd1 52953 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52767->52953 52770 488bfe 52768->52770 52954 406bc4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52770->52954 52956 407210 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 52771->52956 52779 488c51 52772->52779 52780 488c76 52772->52780 52775 488c09 52955 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52775->52955 52776 488c31 52957 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52776->52957 52781 446668 18 API calls 52779->52781 52783 488cae 52780->52783 52784 488c85 52780->52784 52782 488c5e 52781->52782 52785 407238 SetCurrentDirectoryA 52782->52785 52791 488cbd 52783->52791 52794 488ce6 52783->52794 52786 446668 18 API calls 52784->52786 52787 488c66 52785->52787 52788 488c92 52786->52788 52958 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52787->52958 52790 42c6ec 5 API calls 52788->52790 52792 488c9d 52790->52792 52793 446668 18 API calls 52791->52793 52959 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52792->52959 52796 488cca 52793->52796 52797 488d32 52794->52797 52798 488cf5 52794->52798 52960 407188 8 API calls 52796->52960 52805 488d6a 52797->52805 52806 488d41 52797->52806 52802 446668 18 API calls 52798->52802 52799 488b6d 52799->52751 52801 488cd5 52961 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52801->52961 52804 488d04 52802->52804 52807 446668 18 API calls 52804->52807 52813 488d79 52805->52813 52814 488da2 52805->52814 52808 446668 18 API calls 52806->52808 52809 488d15 52807->52809 52810 488d4e 52808->52810 52962 488830 9 API calls 52809->52962 52812 42c78c 5 API calls 52810->52812 52816 488d59 52812->52816 52817 446668 18 API calls 52813->52817 52821 488dda 52814->52821 52822 488db1 52814->52822 52815 488d21 52963 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52815->52963 52964 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52816->52964 52820 488d86 52817->52820 52823 42c7b4 5 API calls 52820->52823 52828 488de9 52821->52828 52829 488e12 52821->52829 52825 446668 18 API calls 52822->52825 52824 488d91 52823->52824 52965 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52824->52965 52827 488dbe 52825->52827 52966 42c7e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52827->52966 52831 446668 18 API calls 52828->52831 52836 488e4a 52829->52836 52837 488e21 52829->52837 52833 488df6 52831->52833 52832 488dc9 52967 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52832->52967 52835 42c814 5 API calls 52833->52835 52838 488e01 52835->52838 52842 488e59 52836->52842 52843 488e96 52836->52843 52839 446668 18 API calls 52837->52839 52968 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52838->52968 52841 488e2e 52839->52841 52844 42c83c 5 API calls 52841->52844 52845 446668 18 API calls 52842->52845 52849 488ee8 52843->52849 52850 488ea5 52843->52850 52846 488e39 52844->52846 52847 488e68 52845->52847 52969 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52846->52969 52851 446668 18 API calls 52847->52851 52858 488f5b 52849->52858 52859 488ef7 52849->52859 52852 446668 18 API calls 52850->52852 52853 488e79 52851->52853 52854 488eb8 52852->52854 52970 42c438 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52853->52970 52856 446668 18 API calls 52854->52856 52860 488ec9 52856->52860 52857 488e85 52971 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52857->52971 52866 488f9a 52858->52866 52867 488f6a 52858->52867 52932 446668 52859->52932 52972 488a28 12 API calls 52860->52972 52865 488ed7 52973 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52865->52973 52877 488fd9 52866->52877 52878 488fa9 52866->52878 52871 446668 18 API calls 52867->52871 52868 42c538 8 API calls 52869 488f12 52868->52869 52873 488f4b 52869->52873 52874 488f16 52869->52874 52872 488f77 52871->52872 52976 450f04 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 52872->52976 52975 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52873->52975 52876 446668 18 API calls 52874->52876 52881 488f25 52876->52881 52886 489018 52877->52886 52887 488fe8 52877->52887 52882 446668 18 API calls 52878->52882 52880 488f84 52977 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52880->52977 52936 45127c 52881->52936 52885 488fb6 52882->52885 52890 450d6c 5 API calls 52885->52890 52897 489060 52886->52897 52898 489027 52886->52898 52891 446668 18 API calls 52887->52891 52888 488f95 52888->52799 52889 488f35 52974 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52889->52974 52893 488fc3 52890->52893 52894 488ff5 52891->52894 52978 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52893->52978 52979 45140c Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 52894->52979 52903 4890a8 52897->52903 52904 48906f 52897->52904 52900 446668 18 API calls 52898->52900 52899 489002 52980 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52899->52980 52902 489036 52900->52902 52905 446668 18 API calls 52902->52905 52909 4890bb 52903->52909 52916 489171 52903->52916 52907 446668 18 API calls 52904->52907 52906 489047 52905->52906 52981 4468e8 52906->52981 52908 48907e 52907->52908 52910 446668 18 API calls 52908->52910 52912 446668 18 API calls 52909->52912 52913 48908f 52910->52913 52914 4890e8 52912->52914 52919 4468e8 5 API calls 52913->52919 52915 446668 18 API calls 52914->52915 52917 4890ff 52915->52917 52916->52799 52990 44660c 18 API calls 52916->52990 52987 407d6c 7 API calls 52917->52987 52919->52799 52920 48918a 52921 42e650 5 API calls 52920->52921 52922 489192 52921->52922 52991 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52922->52991 52925 489121 52926 446668 18 API calls 52925->52926 52927 489135 52926->52927 52988 408498 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52927->52988 52929 489140 52989 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52929->52989 52931 48914c 52933 446670 52932->52933 52992 435708 52933->52992 52935 44668f 52935->52868 52937 450d20 2 API calls 52936->52937 52938 451295 52937->52938 52939 451299 52938->52939 52940 4512bd MoveFileA GetLastError 52938->52940 52939->52889 52941 450d5c Wow64RevertWow64FsRedirection 52940->52941 52942 4512e3 52941->52942 52942->52889 52943->52799 52945 406b4f 52944->52945 52946 406b71 52945->52946 52947 406b68 52945->52947 52950 403778 4 API calls 52946->52950 52948 403400 4 API calls 52947->52948 52949 406b6f 52948->52949 52951 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52949->52951 52950->52949 52951->52799 52952->52767 52953->52799 52954->52775 52955->52799 52956->52776 52957->52799 52958->52799 52959->52799 52960->52801 52961->52799 52962->52815 52963->52799 52964->52799 52965->52799 52966->52832 52967->52799 52968->52799 52969->52799 52970->52857 52971->52799 52972->52865 52973->52799 52974->52799 52975->52799 52976->52880 52977->52888 52978->52799 52979->52899 52980->52799 52982 4468f0 52981->52982 53015 435a70 VariantClear 52982->53015 52984 446913 52985 44692a 52984->52985 53016 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52984->53016 52985->52799 52987->52925 52988->52929 52989->52931 52990->52920 52991->52799 52993 435714 52992->52993 53008 435736 52992->53008 52993->53008 53012 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52993->53012 52994 4357b9 53014 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52994->53014 52996 4357a1 53003 403494 4 API calls 52996->53003 52997 435795 52997->52935 52998 435789 53002 403510 4 API calls 52998->53002 52999 43577d 53005 403510 4 API calls 52999->53005 53000 4357ad 53013 4040e8 18 API calls 53000->53013 53006 435792 53002->53006 53007 4357aa 53003->53007 53010 435786 53005->53010 53006->52935 53007->52935 53008->52994 53008->52996 53008->52997 53008->52998 53008->52999 53008->53000 53009 4357b6 53009->52935 53010->52935 53011 4357ca 53011->52935 53012->53008 53013->53009 53014->53011 53015->52984 53016->52985 47541 416584 74285CF0 47542 40ce88 47543 40ce95 47542->47543 47544 40ce9a 47542->47544 47546 406ed8 CloseHandle 47543->47546 47546->47544 47547 48fb00 47601 403344 47547->47601 47549 48fb0e 47604 4056a0 47549->47604 47551 48fb13 47607 4098dc 47551->47607 47864 4032fc 47601->47864 47603 403349 GetModuleHandleA GetCommandLineA 47603->47549 47606 4056db 47604->47606 47865 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47604->47865 47606->47551 47866 408fb4 47607->47866 47864->47603 47865->47606 47938 408c4c 47866->47938 47869 40856c GetSystemDefaultLCID 47873 4085a2 47869->47873 47870 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 47870->47873 47871 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47871->47873 47872 406d7c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47872->47873 47873->47870 47873->47871 47873->47872 47877 408604 47873->47877 47874 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47874->47877 47875 406d7c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47875->47877 47876 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 47876->47877 47877->47874 47877->47875 47877->47876 47878 408687 47877->47878 47979 403420 47878->47979 47881 4086b0 GetSystemDefaultLCID 47983 4084f8 GetLocaleInfoA 47881->47983 47884 403450 4 API calls 47885 4086f0 47884->47885 47886 4084f8 5 API calls 47885->47886 47887 408705 47886->47887 47888 4084f8 5 API calls 47887->47888 47889 408729 47888->47889 47989 408544 GetLocaleInfoA 47889->47989 47892 408544 GetLocaleInfoA 47893 408759 47892->47893 47894 4084f8 5 API calls 47893->47894 47895 408773 47894->47895 47896 408544 GetLocaleInfoA 47895->47896 47897 408790 47896->47897 47898 4084f8 5 API calls 47897->47898 47899 4087aa 47898->47899 47900 403450 4 API calls 47899->47900 47901 4087b7 47900->47901 47902 4084f8 5 API calls 47901->47902 47903 4087cc 47902->47903 47904 403450 4 API calls 47903->47904 47905 4087d9 47904->47905 47906 408544 GetLocaleInfoA 47905->47906 47907 4087e7 47906->47907 47908 4084f8 5 API calls 47907->47908 47909 408801 47908->47909 47910 403450 4 API calls 47909->47910 47911 40880e 47910->47911 47912 4084f8 5 API calls 47911->47912 47913 408823 47912->47913 47914 403450 4 API calls 47913->47914 47915 408830 47914->47915 47916 4084f8 5 API calls 47915->47916 47917 408845 47916->47917 47918 408862 47917->47918 47919 408853 47917->47919 47921 403494 4 API calls 47918->47921 47997 403494 47919->47997 47922 408860 47921->47922 47923 4084f8 5 API calls 47922->47923 47924 408884 47923->47924 47925 4088a1 47924->47925 47926 408892 47924->47926 47928 403400 4 API calls 47925->47928 47927 403494 4 API calls 47926->47927 47929 40889f 47927->47929 47928->47929 47991 403634 47929->47991 47939 408c58 47938->47939 47946 406d7c LoadStringA 47939->47946 47959 4034e0 47946->47959 47949 403450 47950 403454 47949->47950 47953 403464 47949->47953 47952 4034bc 4 API calls 47950->47952 47950->47953 47951 403490 47955 403400 47951->47955 47952->47953 47953->47951 47974 402660 47953->47974 47956 403406 47955->47956 47957 40341f 47955->47957 47956->47957 47958 402660 4 API calls 47956->47958 47957->47869 47958->47957 47964 4034bc 47959->47964 47961 4034f0 47962 403400 4 API calls 47961->47962 47963 403508 47962->47963 47963->47949 47965 4034c0 47964->47965 47966 4034dc 47964->47966 47969 402648 47965->47969 47966->47961 47968 4034c9 47968->47961 47970 40264c 47969->47970 47971 402656 47969->47971 47970->47971 47973 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47970->47973 47971->47968 47971->47971 47973->47971 47975 402664 47974->47975 47976 40266e 47974->47976 47975->47976 47978 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47975->47978 47976->47951 47976->47976 47978->47976 47981 403426 47979->47981 47980 40344b 47980->47881 47981->47980 47982 402660 4 API calls 47981->47982 47982->47981 47984 408531 47983->47984 47985 40851f 47983->47985 47987 403494 4 API calls 47984->47987 47986 4034e0 4 API calls 47985->47986 47988 40852f 47986->47988 47987->47988 47988->47884 47990 408560 47989->47990 47990->47892 47992 40363c 47991->47992 47993 4034bc 4 API calls 47992->47993 47994 40364f 47993->47994 47995 403450 4 API calls 47994->47995 47996 403677 47995->47996 47999 403498 47997->47999 47998 4034ba 47998->47922 47999->47998 48000 402660 4 API calls 47999->48000 48000->47998 53017 42e22b SetErrorMode 53018 41edec 53019 41ee31 53018->53019 53020 41edfb IsWindowVisible 53018->53020 53020->53019 53021 41ee05 IsWindowEnabled 53020->53021 53021->53019 53022 41ee0f 53021->53022 53023 402648 4 API calls 53022->53023 53024 41ee19 EnableWindow 53023->53024 53024->53019 50146 42eccc 50147 42ecd7 50146->50147 50148 42ecdb NtdllDefWindowProc_A 50146->50148 50148->50147 50149 478d57 50150 450130 5 API calls 50149->50150 50151 478d6b 50150->50151 50152 477ecc 23 API calls 50151->50152 50153 478d8f 50152->50153 50154 44a5d4 50155 44a5da 50154->50155 50156 4158e4 7 API calls 50155->50156 50157 44a5ef 50156->50157 50158 44a784 9 API calls 50157->50158 50159 44a626 50158->50159 53025 41faf0 53026 41faf9 53025->53026 53029 41fd94 53026->53029 53028 41fb06 53030 41fe86 53029->53030 53031 41fdab 53029->53031 53030->53028 53031->53030 53050 41f954 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53031->53050 53033 41fde1 53034 41fde5 53033->53034 53035 41fe0b 53033->53035 53051 41fb34 53034->53051 53060 41f954 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53035->53060 53039 41fe19 53041 41fe43 53039->53041 53042 41fe1d 53039->53042 53040 41fb34 10 API calls 53044 41fe09 53040->53044 53043 41fb34 10 API calls 53041->53043 53045 41fb34 10 API calls 53042->53045 53046 41fe55 53043->53046 53044->53028 53047 41fe2f 53045->53047 53048 41fb34 10 API calls 53046->53048 53049 41fb34 10 API calls 53047->53049 53048->53044 53049->53044 53050->53033 53052 41fb4f 53051->53052 53053 41f8d4 4 API calls 53052->53053 53054 41fb65 53052->53054 53053->53054 53061 41f8d4 53054->53061 53056 41fbad 53057 41fbd0 SetScrollInfo 53056->53057 53069 41fa34 53057->53069 53060->53039 53062 418178 53061->53062 53063 41f8f1 GetWindowLongA 53062->53063 53064 41f92e 53063->53064 53065 41f90e 53063->53065 53081 41f860 GetWindowLongA GetSystemMetrics GetSystemMetrics 53064->53081 53080 41f860 GetWindowLongA GetSystemMetrics GetSystemMetrics 53065->53080 53068 41f91a 53068->53056 53070 41fa42 53069->53070 53071 41fa4a 53069->53071 53070->53040 53072 41fa89 53071->53072 53073 41fa79 53071->53073 53079 41fa87 53071->53079 53083 417de0 IsWindowVisible ScrollWindow SetWindowPos 53072->53083 53082 417de0 IsWindowVisible ScrollWindow SetWindowPos 53073->53082 53074 41fac9 GetScrollPos 53074->53070 53077 41fad4 53074->53077 53078 41fae3 SetScrollPos 53077->53078 53078->53070 53079->53074 53080->53068 53081->53068 53082->53079 53083->53079 53084 420530 53085 420543 53084->53085 53105 415ac8 53085->53105 53087 42068a 53088 4206a1 53087->53088 53112 41466c KiUserCallbackDispatcher 53087->53112 53092 4206b8 53088->53092 53113 4146b0 KiUserCallbackDispatcher 53088->53113 53089 42057e 53089->53087 53090 4205e9 53089->53090 53098 4205da MulDiv 53089->53098 53110 4207e0 20 API calls 53090->53110 53093 4206da 53092->53093 53114 41fff8 12 API calls 53092->53114 53096 420602 53096->53087 53111 41fff8 12 API calls 53096->53111 53109 41a29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53098->53109 53101 42061f 53102 42063b MulDiv 53101->53102 53103 42065e 53101->53103 53102->53103 53103->53087 53104 420667 MulDiv 53103->53104 53104->53087 53106 415ada 53105->53106 53115 414408 53106->53115 53108 415af2 53108->53089 53109->53090 53110->53096 53111->53101 53112->53088 53113->53092 53114->53093 53116 414422 53115->53116 53119 4105e0 53116->53119 53118 414438 53118->53108 53122 40de2c 53119->53122 53121 4105e6 53121->53118 53123 40de8e 53122->53123 53124 40de3f 53122->53124 53129 40de9c 53123->53129 53127 40de9c 19 API calls 53124->53127 53128 40de69 53127->53128 53128->53121 53132 40deac 53129->53132 53131 40dec2 53144 40e0d4 53131->53144 53132->53131 53141 40d768 53132->53141 53161 40e224 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53132->53161 53135 40d768 5 API calls 53136 40deca 53135->53136 53136->53135 53137 40df36 53136->53137 53147 40dce8 53136->53147 53139 40e0d4 5 API calls 53137->53139 53140 40de98 53139->53140 53140->53121 53142 40eb90 5 API calls 53141->53142 53143 40d772 53142->53143 53143->53132 53162 40d644 53144->53162 53148 40e0dc 5 API calls 53147->53148 53149 40dd1b 53148->53149 53150 40eaf4 5 API calls 53149->53150 53151 40dd26 53150->53151 53152 40eaf4 5 API calls 53151->53152 53153 40dd31 53152->53153 53154 40dd43 53153->53154 53155 40dd4c 53153->53155 53160 40dd49 53153->53160 53174 40dc50 19 API calls 53154->53174 53171 40db60 53155->53171 53158 403420 4 API calls 53159 40de17 53158->53159 53159->53136 53160->53158 53161->53132 53163 40eb90 5 API calls 53162->53163 53164 40d651 53163->53164 53165 40d664 53164->53165 53169 40ec94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53164->53169 53165->53136 53167 40d65f 53170 40d5e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53167->53170 53169->53167 53170->53165 53175 40ad04 19 API calls 53171->53175 53173 40db88 53173->53160 53174->53160 53175->53173 50160 4135d4 SetWindowLongA GetWindowLongA 50161 413631 SetPropA SetPropA 50160->50161 50162 413613 GetWindowLongA 50160->50162 50166 41f334 50161->50166 50162->50161 50163 413622 SetWindowLongA 50162->50163 50163->50161 50171 423ba4 50166->50171 50265 423a1c 50166->50265 50272 415208 50166->50272 50167 413681 50172 423bda 50171->50172 50190 423bfb 50172->50190 50279 423b00 50172->50279 50175 423c84 50179 423c8b 50175->50179 50180 423cbf 50175->50180 50176 423c25 50177 423c2b 50176->50177 50178 423ce8 50176->50178 50182 423c30 50177->50182 50195 423c5d 50177->50195 50185 423d03 50178->50185 50186 423cfa 50178->50186 50181 423c91 50179->50181 50224 423f49 50179->50224 50183 424032 IsIconic 50180->50183 50184 423cca 50180->50184 50187 423eab SendMessageA 50181->50187 50188 423c9f 50181->50188 50191 423c36 50182->50191 50192 423d8e 50182->50192 50189 424046 GetFocus 50183->50189 50183->50190 50193 423cd3 50184->50193 50194 42406e 50184->50194 50288 42412c 11 API calls 50185->50288 50196 423d10 50186->50196 50197 423d01 50186->50197 50187->50190 50188->50190 50216 423c58 50188->50216 50245 423eee 50188->50245 50189->50190 50202 424057 50189->50202 50190->50167 50203 423db6 PostMessageA 50191->50203 50204 423c3f 50191->50204 50293 423b1c NtdllDefWindowProc_A 50192->50293 50200 424085 50193->50200 50193->50216 50310 4247e8 WinHelpA PostMessageA 50194->50310 50195->50190 50214 423c76 50195->50214 50215 423dd7 50195->50215 50201 424174 11 API calls 50196->50201 50289 423b1c NtdllDefWindowProc_A 50197->50289 50212 4240a3 50200->50212 50213 42408e 50200->50213 50201->50190 50309 41ef8c GetCurrentThreadId 74285940 50202->50309 50294 423b1c NtdllDefWindowProc_A 50203->50294 50209 423c48 50204->50209 50210 423e3d 50204->50210 50219 423c51 50209->50219 50220 423d66 IsIconic 50209->50220 50221 423e46 50210->50221 50222 423e77 50210->50222 50211 423dd1 50211->50190 50311 4244c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50212->50311 50223 42446c 5 API calls 50213->50223 50214->50216 50225 423da3 50214->50225 50283 423b1c NtdllDefWindowProc_A 50215->50283 50216->50190 50287 423b1c NtdllDefWindowProc_A 50216->50287 50218 42405e 50218->50190 50233 424066 SetFocus 50218->50233 50219->50216 50234 423d29 50219->50234 50227 423d82 50220->50227 50228 423d76 50220->50228 50296 423aac LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50221->50296 50284 423b1c NtdllDefWindowProc_A 50222->50284 50223->50190 50224->50190 50242 423f6f IsWindowEnabled 50224->50242 50231 424110 12 API calls 50225->50231 50292 423b1c NtdllDefWindowProc_A 50227->50292 50291 423b58 15 API calls 50228->50291 50231->50190 50232 423ddd 50239 423e1b 50232->50239 50240 423df9 50232->50240 50233->50190 50234->50190 50290 422be4 ShowWindow PostMessageA PostQuitMessage 50234->50290 50238 423e7d 50244 423e95 50238->50244 50285 41ee3c GetCurrentThreadId 74285940 50238->50285 50247 423a1c 6 API calls 50239->50247 50295 423aac LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50240->50295 50241 423e4e 50249 423e60 50241->50249 50297 41eef0 50241->50297 50242->50190 50243 423f7d 50242->50243 50257 423f84 IsWindowVisible 50243->50257 50252 423a1c 6 API calls 50244->50252 50245->50190 50253 423f10 IsWindowEnabled 50245->50253 50255 423e23 PostMessageA 50247->50255 50303 423b1c NtdllDefWindowProc_A 50249->50303 50252->50190 50253->50190 50258 423f1e 50253->50258 50254 423e01 PostMessageA 50254->50190 50255->50190 50257->50190 50259 423f92 GetFocus 50257->50259 50304 4122a8 7 API calls 50258->50304 50305 418178 50259->50305 50262 423fa7 SetFocus 50307 4151d8 50262->50307 50266 423aa5 50265->50266 50267 423a2c 50265->50267 50266->50167 50267->50266 50268 423a32 EnumWindows 50267->50268 50268->50266 50269 423a4e GetWindow GetWindowLongA 50268->50269 50312 4239b4 GetWindow 50268->50312 50270 423a6d 50269->50270 50270->50266 50271 423a99 SetWindowPos 50270->50271 50271->50266 50271->50270 50275 415215 50272->50275 50273 415270 50278 415279 50273->50278 50316 414ff4 46 API calls 50273->50316 50274 41527b 50315 424b24 13 API calls 50274->50315 50275->50273 50275->50274 50275->50278 50278->50167 50280 423b15 50279->50280 50281 423b0a 50279->50281 50280->50175 50280->50176 50281->50280 50282 4086b0 7 API calls 50281->50282 50282->50280 50283->50232 50284->50238 50286 41eec1 50285->50286 50286->50244 50287->50190 50288->50190 50289->50190 50290->50190 50291->50190 50292->50190 50293->50190 50294->50211 50295->50254 50296->50241 50298 41ef24 50297->50298 50299 41eef8 IsWindow 50297->50299 50298->50249 50300 41ef12 50299->50300 50301 41ef07 EnableWindow 50299->50301 50300->50298 50300->50299 50302 402660 4 API calls 50300->50302 50301->50300 50302->50300 50303->50190 50304->50190 50306 418182 50305->50306 50306->50262 50308 4151f3 SetFocus 50307->50308 50308->50190 50309->50218 50310->50211 50311->50211 50313 4239d5 GetWindowLongA 50312->50313 50314 4239e1 50312->50314 50313->50314 50315->50278 50316->50278 50317 414614 KiUserCallbackDispatcher 53176 478df1 53177 478dfa 53176->53177 53179 478e25 53176->53179 53177->53179 53180 478e17 53177->53180 53178 478e64 53182 478e77 53178->53182 53183 478e84 53178->53183 53179->53178 53527 477814 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53179->53527 53525 46fe98 162 API calls 53180->53525 53186 478e7b 53182->53186 53187 478eb9 53182->53187 53189 478e9e 53183->53189 53190 478e8d 53183->53190 53185 478e57 53528 4779e0 37 API calls 53185->53528 53194 478e7f 53186->53194 53199 478f17 53186->53199 53200 478efc 53186->53200 53191 478ec2 53187->53191 53192 478edd 53187->53192 53188 478e1c 53188->53179 53526 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53188->53526 53530 477a50 37 API calls 53189->53530 53529 4779e0 37 API calls 53190->53529 53531 477a50 37 API calls 53191->53531 53532 477a50 37 API calls 53192->53532 53204 478f40 53194->53204 53205 478f5e 53194->53205 53534 477a50 37 API calls 53199->53534 53533 477a50 37 API calls 53200->53533 53206 478f55 53204->53206 53535 4779e0 37 API calls 53204->53535 53537 4776ac 23 API calls 53205->53537 53536 4776ac 23 API calls 53206->53536 53210 478f5c 53211 478f74 53210->53211 53212 478f6e 53210->53212 53213 478f72 53211->53213 53215 4779bc 37 API calls 53211->53215 53212->53213 53216 4779bc 37 API calls 53212->53216 53292 474fa4 53213->53292 53215->53213 53216->53213 53222 478fb5 53224 478fc5 53222->53224 53433 477d90 53222->53433 53452 478114 53224->53452 53227 478fcb 53228 47911b 53227->53228 53229 478fd8 53227->53229 53231 478030 18 API calls 53228->53231 53457 48bbf8 53229->53457 53233 479119 53231->53233 53235 474c8c 39 API calls 53233->53235 53237 47913a 53235->53237 53239 403450 4 API calls 53237->53239 53242 47914a 53239->53242 53244 474c8c 39 API calls 53242->53244 53247 47915a 53244->53247 53293 42d76c GetWindowsDirectoryA 53292->53293 53294 474fc2 53293->53294 53295 403450 4 API calls 53294->53295 53296 474fcf 53295->53296 53297 42d798 GetSystemDirectoryA 53296->53297 53298 474fd7 53297->53298 53299 403450 4 API calls 53298->53299 53300 474fe4 53299->53300 53301 42d7c4 6 API calls 53300->53301 53302 474fec 53301->53302 53303 403450 4 API calls 53302->53303 53304 474ff9 53303->53304 53305 475002 53304->53305 53306 47501e 53304->53306 53569 42d0dc 53305->53569 53308 403400 4 API calls 53306->53308 53310 47501c 53308->53310 53312 475063 53310->53312 53313 42c7b4 5 API calls 53310->53313 53311 403450 4 API calls 53311->53310 53549 474e2c 53312->53549 53316 47503e 53313->53316 53318 403450 4 API calls 53316->53318 53317 403450 4 API calls 53319 47507f 53317->53319 53321 47504b 53318->53321 53320 47509d 53319->53320 53322 4035c0 4 API calls 53319->53322 53323 474e2c 8 API calls 53320->53323 53321->53312 53324 403450 4 API calls 53321->53324 53322->53320 53325 4750ac 53323->53325 53324->53312 53326 403450 4 API calls 53325->53326 53327 4750b9 53326->53327 53328 4750e1 53327->53328 53329 42c394 5 API calls 53327->53329 53330 475148 53328->53330 53331 474e2c 8 API calls 53328->53331 53332 4750cf 53329->53332 53333 475172 53330->53333 53334 475151 53330->53334 53335 4750f9 53331->53335 53337 4035c0 4 API calls 53332->53337 53336 42c394 5 API calls 53333->53336 53338 42c394 5 API calls 53334->53338 53340 403450 4 API calls 53335->53340 53341 47517f 53336->53341 53337->53328 53339 47515e 53338->53339 53342 4035c0 4 API calls 53339->53342 53343 475106 53340->53343 53344 4035c0 4 API calls 53341->53344 53345 475170 53342->53345 53346 475119 53343->53346 53577 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53343->53577 53344->53345 53560 474f10 53345->53560 53348 474e2c 8 API calls 53346->53348 53350 475128 53348->53350 53352 403450 4 API calls 53350->53352 53354 475135 53352->53354 53353 403400 4 API calls 53355 4751ab 53353->53355 53354->53330 53578 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53354->53578 53357 475400 53355->53357 53358 475408 53357->53358 53358->53358 53580 452020 53358->53580 53361 403450 4 API calls 53362 475435 53361->53362 53363 403494 4 API calls 53362->53363 53364 475442 53363->53364 53365 40357c 4 API calls 53364->53365 53366 475450 53365->53366 53367 4557f0 23 API calls 53366->53367 53368 475458 53367->53368 53369 47546b 53368->53369 53614 454fe8 6 API calls 53368->53614 53371 42c394 5 API calls 53369->53371 53372 475478 53371->53372 53373 4035c0 4 API calls 53372->53373 53374 475488 53373->53374 53375 475492 CreateDirectoryA 53374->53375 53376 4754f8 53375->53376 53377 47549c GetLastError 53375->53377 53378 4035c0 4 API calls 53376->53378 53615 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53377->53615 53380 47550d 53378->53380 53598 4753a8 53380->53598 53381 4754b4 53616 406cf8 19 API calls 53381->53616 53384 4754c4 53386 42e650 5 API calls 53384->53386 53385 47551a 53603 45640c 53385->53603 53388 4754d4 53386->53388 53617 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53388->53617 53389 475522 53391 47554b 53389->53391 53392 4035c0 4 API calls 53389->53392 53394 403420 4 API calls 53391->53394 53395 475538 53392->53395 53393 4754e9 53618 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53393->53618 53397 475565 53394->53397 53398 4753a8 25 API calls 53395->53398 53399 403420 4 API calls 53397->53399 53400 475543 53398->53400 53401 475572 53399->53401 53619 456478 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53400->53619 53403 47572c 53401->53403 53404 42c394 5 API calls 53403->53404 53405 475758 53404->53405 53406 4035c0 4 API calls 53405->53406 53407 475768 53406->53407 53408 4753a8 25 API calls 53407->53408 53409 475775 53408->53409 53682 450bd4 53409->53682 53412 47578e 53414 450bd4 30 API calls 53412->53414 53415 47579b 53414->53415 53416 4757d4 53415->53416 53418 403494 4 API calls 53415->53418 53417 42e1d0 2 API calls 53416->53417 53419 4757e3 53417->53419 53418->53416 53420 42e1d0 2 API calls 53419->53420 53421 4757f0 53420->53421 53422 475823 GetProcAddress 53421->53422 53423 407884 19 API calls 53421->53423 53424 47583f 53422->53424 53425 475849 53422->53425 53426 47581b 53423->53426 53687 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53687 53428 403400 4 API calls 53425->53428 53686 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53426->53686 53430 47585e 53428->53430 53431 403400 4 API calls 53430->53431 53432 475866 53431->53432 53432->53222 53538 477bf8 31 API calls 53432->53538 53434 42c394 5 API calls 53433->53434 53435 477dbc 53434->53435 53436 4035c0 4 API calls 53435->53436 53437 477dcc 53436->53437 53438 4752cc 21 API calls 53437->53438 53439 477dda 53438->53439 53440 42e1d0 2 API calls 53439->53440 53441 477df2 53440->53441 53442 477e25 53441->53442 53443 407884 19 API calls 53441->53443 53702 45a4fc GetProcAddress GetProcAddress GetProcAddress 53442->53702 53445 477e1d 53443->53445 53706 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53445->53706 53446 477e2f 53448 477e3d 53446->53448 53707 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53446->53707 53453 478125 53452->53453 53454 478160 53453->53454 53455 478150 53453->53455 53454->53227 53708 476ac4 6 API calls 53455->53708 53458 48bc02 53457->53458 53709 447acc 53458->53709 53525->53188 53527->53185 53528->53178 53529->53194 53530->53194 53531->53194 53532->53194 53533->53194 53534->53194 53535->53206 53536->53210 53537->53210 53538->53222 53550 42dc34 RegOpenKeyExA 53549->53550 53551 474e52 53550->53551 53552 474e56 53551->53552 53553 474e78 53551->53553 53554 42db64 6 API calls 53552->53554 53555 403400 4 API calls 53553->53555 53556 474e62 53554->53556 53557 474e7f 53555->53557 53558 474e6d RegCloseKey 53556->53558 53559 403400 4 API calls 53556->53559 53557->53317 53558->53557 53559->53558 53561 474f1e 53560->53561 53562 42dc34 RegOpenKeyExA 53561->53562 53564 474f46 53562->53564 53563 474f77 53563->53353 53564->53563 53565 42db64 6 API calls 53564->53565 53566 474f5c 53565->53566 53567 42db64 6 API calls 53566->53567 53568 474f6e RegCloseKey 53567->53568 53568->53563 53570 4038a4 4 API calls 53569->53570 53573 42d0ef 53570->53573 53571 42d106 GetEnvironmentVariableA 53572 42d112 53571->53572 53571->53573 53574 403400 4 API calls 53572->53574 53573->53571 53576 42d119 53573->53576 53579 42da00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53573->53579 53574->53576 53576->53311 53577->53346 53578->53330 53579->53573 53597 452040 53580->53597 53582 451dac 12 API calls 53582->53597 53583 452065 CreateDirectoryA 53584 4520dd 53583->53584 53585 45206f GetLastError 53583->53585 53586 403494 4 API calls 53584->53586 53585->53597 53588 4520e7 53586->53588 53589 403420 4 API calls 53588->53589 53590 452101 53589->53590 53592 403420 4 API calls 53590->53592 53593 45210e 53592->53593 53593->53361 53594 42e650 5 API calls 53594->53597 53597->53582 53597->53583 53597->53594 53620 42d848 53597->53620 53643 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53597->53643 53644 406cf8 19 API calls 53597->53644 53645 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53597->53645 53646 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53597->53646 53599 40d0d4 23 API calls 53598->53599 53600 4753c4 53599->53600 53647 4752cc 53600->53647 53602 4753df 53602->53385 53604 45641e 53603->53604 53605 456418 53603->53605 53607 403494 4 API calls 53604->53607 53606 45642c 53605->53606 53608 45641c 53605->53608 53610 403494 4 API calls 53606->53610 53609 45642a 53607->53609 53612 403400 4 API calls 53608->53612 53609->53389 53611 456438 53610->53611 53611->53389 53613 456441 53612->53613 53613->53389 53614->53369 53615->53381 53616->53384 53617->53393 53618->53376 53619->53391 53621 42d0dc 5 API calls 53620->53621 53622 42d86e 53621->53622 53623 42d87a 53622->53623 53625 42cc1c 7 API calls 53622->53625 53624 42d0dc 5 API calls 53623->53624 53628 42d8c6 53623->53628 53626 42d88a 53624->53626 53625->53623 53627 42d896 53626->53627 53629 42cc1c 7 API calls 53626->53629 53627->53628 53632 42d0dc 5 API calls 53627->53632 53640 42d8bb 53627->53640 53630 42c6ec 5 API calls 53628->53630 53629->53627 53631 42d8d0 53630->53631 53634 42c394 5 API calls 53631->53634 53636 42d8af 53632->53636 53633 42d76c GetWindowsDirectoryA 53633->53628 53635 42d8db 53634->53635 53637 403494 4 API calls 53635->53637 53638 42cc1c 7 API calls 53636->53638 53636->53640 53639 42d8e5 53637->53639 53638->53640 53641 403420 4 API calls 53639->53641 53640->53628 53640->53633 53642 42d8ff 53641->53642 53642->53597 53643->53597 53644->53597 53645->53597 53646->53597 53654 40cf28 53647->53654 53649 475301 53650 403420 4 API calls 53649->53650 53651 475391 53650->53651 53652 403400 4 API calls 53651->53652 53653 475399 53652->53653 53653->53602 53659 40cdd8 53654->53659 53656 40cf42 53671 40cf10 53656->53671 53658 40cf5d 53658->53649 53660 40cde5 53659->53660 53661 40ce01 53660->53661 53662 40ce36 53660->53662 53675 406e50 53661->53675 53679 406e10 CreateFileA 53662->53679 53665 40ce08 53670 40ce2f 53665->53670 53678 408cbc 19 API calls 53665->53678 53666 40ce40 53666->53670 53680 408cbc 19 API calls 53666->53680 53669 40ce67 53669->53670 53670->53656 53672 40cf24 53671->53672 53673 40cf18 53671->53673 53672->53658 53681 40cc40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53673->53681 53676 403738 53675->53676 53677 406e6c CreateFileA 53676->53677 53677->53665 53678->53670 53679->53666 53680->53669 53681->53672 53688 450b0c 53682->53688 53684 450be1 53684->53412 53685 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53684->53685 53685->53412 53686->53422 53687->53425 53689 403738 53688->53689 53690 450b29 755A1520 53689->53690 53691 450b37 53690->53691 53692 450bae 53690->53692 53693 402648 4 API calls 53691->53693 53694 450bc1 53692->53694 53701 450930 27 API calls 53692->53701 53695 450b3e 755A1500 53693->53695 53694->53684 53697 450b7c 53695->53697 53698 450b62 755A1540 53695->53698 53699 402660 4 API calls 53697->53699 53698->53697 53700 450ba6 53699->53700 53700->53684 53701->53694 53703 45a556 53702->53703 53704 45a538 53702->53704 53703->53446 53704->53703 53705 45a54a ISCryptGetVersion 53704->53705 53705->53446 53706->53442 53707->53448 53708->53454 53710 447ad2 53709->53710 53910 447070 53710->53910 53911 447076 53910->53911 53922 433664 53911->53922 53923 43366b 53922->53923 54996 4898f0 54997 489924 54996->54997 54998 48993a 54997->54998 54999 489926 54997->54999 55003 489949 54998->55003 55004 489976 54998->55004 55132 44660c 18 API calls 54999->55132 55001 48992f Sleep 55002 489971 55001->55002 55006 403420 4 API calls 55002->55006 55005 446668 18 API calls 55003->55005 55009 4899b2 55004->55009 55010 489985 55004->55010 55007 489958 55005->55007 55008 489de4 55006->55008 55011 489960 FindWindowA 55007->55011 55015 489a08 55009->55015 55016 4899c1 55009->55016 55012 446668 18 API calls 55010->55012 55013 4468e8 5 API calls 55011->55013 55014 489992 55012->55014 55013->55002 55018 48999a FindWindowA 55014->55018 55021 489a64 55015->55021 55022 489a17 55015->55022 55133 44660c 18 API calls 55016->55133 55020 4468e8 5 API calls 55018->55020 55019 4899cd 55134 44660c 18 API calls 55019->55134 55024 4899ad 55020->55024 55031 489ac0 55021->55031 55032 489a73 55021->55032 55137 44660c 18 API calls 55022->55137 55024->55002 55026 4899da 55135 44660c 18 API calls 55026->55135 55027 489a23 55138 44660c 18 API calls 55027->55138 55030 4899e7 55136 44660c 18 API calls 55030->55136 55042 489afa 55031->55042 55043 489acf 55031->55043 55142 44660c 18 API calls 55032->55142 55034 489a30 55139 44660c 18 API calls 55034->55139 55036 489a7f 55143 44660c 18 API calls 55036->55143 55038 4899f2 SendMessageA 55041 4468e8 5 API calls 55038->55041 55040 489a3d 55140 44660c 18 API calls 55040->55140 55041->55024 55051 489b48 55042->55051 55052 489b09 55042->55052 55046 446668 18 API calls 55043->55046 55044 489a8c 55144 44660c 18 API calls 55044->55144 55049 489adc 55046->55049 55048 489a48 PostMessageA 55141 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55048->55141 55054 489ae4 RegisterClipboardFormatA 55049->55054 55050 489a99 55145 44660c 18 API calls 55050->55145 55060 489b9c 55051->55060 55061 489b57 55051->55061 55147 44660c 18 API calls 55052->55147 55057 4468e8 5 API calls 55054->55057 55057->55002 55058 489aa4 SendNotifyMessageA 55146 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55058->55146 55059 489b15 55148 44660c 18 API calls 55059->55148 55070 489bab 55060->55070 55071 489bf0 55060->55071 55150 44660c 18 API calls 55061->55150 55065 489b22 55149 44660c 18 API calls 55065->55149 55066 489b63 55151 44660c 18 API calls 55066->55151 55069 489b2d SendMessageA 55074 4468e8 5 API calls 55069->55074 55154 44660c 18 API calls 55070->55154 55079 489bff 55071->55079 55080 489c52 55071->55080 55073 489b70 55152 44660c 18 API calls 55073->55152 55074->55024 55075 489bb7 55155 44660c 18 API calls 55075->55155 55078 489b7b PostMessageA 55153 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55078->55153 55083 446668 18 API calls 55079->55083 55087 489cd9 55080->55087 55088 489c61 55080->55088 55081 489bc4 55156 44660c 18 API calls 55081->55156 55085 489c0c 55083->55085 55089 42e1d0 2 API calls 55085->55089 55086 489bcf SendNotifyMessageA 55157 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55086->55157 55097 489ce8 55087->55097 55098 489d0e 55087->55098 55091 446668 18 API calls 55088->55091 55092 489c19 55089->55092 55095 489c70 55091->55095 55093 489c2f GetLastError 55092->55093 55094 489c1f 55092->55094 55099 4468e8 5 API calls 55093->55099 55096 4468e8 5 API calls 55094->55096 55158 44660c 18 API calls 55095->55158 55100 489c2d 55096->55100 55163 44660c 18 API calls 55097->55163 55107 489d1d 55098->55107 55108 489d40 55098->55108 55099->55100 55104 4468e8 5 API calls 55100->55104 55103 489cf2 FreeLibrary 55164 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55103->55164 55104->55002 55105 489c83 GetProcAddress 55109 489cc9 55105->55109 55110 489c8f 55105->55110 55111 446668 18 API calls 55107->55111 55115 489d4f 55108->55115 55121 489d83 55108->55121 55162 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55109->55162 55159 44660c 18 API calls 55110->55159 55113 489d29 55111->55113 55119 489d31 CreateMutexA 55113->55119 55117 446668 18 API calls 55115->55117 55116 489c9b 55160 44660c 18 API calls 55116->55160 55123 489d5b 55117->55123 55119->55002 55120 489ca8 55124 4468e8 5 API calls 55120->55124 55121->55002 55122 446668 18 API calls 55121->55122 55129 489d9e 55122->55129 55125 489d6c OemToCharBuffA 55123->55125 55126 489cb9 55124->55126 55165 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55125->55165 55161 446740 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55126->55161 55130 489daf CharToOemBuffA 55129->55130 55166 4469bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 55130->55166 55132->55001 55133->55019 55134->55026 55135->55030 55136->55038 55137->55027 55138->55034 55139->55040 55140->55048 55141->55024 55142->55036 55143->55044 55144->55050 55145->55058 55146->55002 55147->55059 55148->55065 55149->55069 55150->55066 55151->55073 55152->55078 55153->55024 55154->55075 55155->55081 55156->55086 55157->55002 55158->55105 55159->55116 55160->55120 55161->55024 55162->55024 55163->55103 55164->55002 55165->55002 55166->55002 50318 46605c 50319 466092 50318->50319 50346 46627f 50318->50346 50321 4660c6 50319->50321 50323 466110 50319->50323 50324 466121 50319->50324 50325 4660ee 50319->50325 50326 4660ff 50319->50326 50327 4660dd 50319->50327 50320 403400 4 API calls 50322 46630b 50320->50322 50328 463910 19 API calls 50321->50328 50321->50346 50330 403400 4 API calls 50322->50330 50495 465dcc 59 API calls 50323->50495 50496 465fec 41 API calls 50324->50496 50494 465ab0 37 API calls 50325->50494 50354 465bf8 50326->50354 50493 465948 42 API calls 50327->50493 50337 466143 50328->50337 50335 466313 50330->50335 50336 4660e3 50336->50321 50336->50346 50341 466185 50337->50341 50337->50346 50497 48be34 50337->50497 50339 46384c 19 API calls 50339->50341 50340 414a80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50340->50341 50341->50339 50341->50340 50342 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50341->50342 50343 46626c 50341->50343 50345 42ca94 6 API calls 50341->50345 50341->50346 50349 46535c 23 API calls 50341->50349 50350 4662ed 50341->50350 50395 465288 50341->50395 50402 464bc0 50341->50402 50422 47b128 50341->50422 50517 465728 19 API calls 50341->50517 50342->50341 50516 47b56c 96 API calls 50343->50516 50345->50341 50346->50320 50349->50341 50352 46535c 23 API calls 50350->50352 50352->50346 50518 4666fc 50354->50518 50357 465d90 50359 403400 4 API calls 50357->50359 50358 414a80 4 API calls 50361 465c46 50358->50361 50360 465da5 50359->50360 50362 403420 4 API calls 50360->50362 50363 465c53 50361->50363 50364 465d81 50361->50364 50365 465db2 50362->50365 50521 42c7b4 50363->50521 50367 403450 4 API calls 50364->50367 50368 403400 4 API calls 50365->50368 50367->50357 50370 465dba 50368->50370 50370->50321 50371 42c394 5 API calls 50372 465c6d 50371->50372 50529 4541a0 13 API calls 50372->50529 50374 465c7a 50377 465cdf 50374->50377 50380 461358 19 API calls 50374->50380 50375 465d3f 50375->50357 50375->50364 50379 42cc1c 7 API calls 50375->50379 50377->50357 50377->50375 50532 42cc1c 50377->50532 50381 465d55 50379->50381 50383 465ca9 50380->50383 50381->50364 50537 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50381->50537 50385 461358 19 API calls 50383->50385 50384 465d2f 50536 477340 37 API calls 50384->50536 50387 465cba 50385->50387 50530 45052c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50387->50530 50390 465d6c 50538 477340 37 API calls 50390->50538 50391 465ccf 50531 477340 37 API calls 50391->50531 50394 465d7c 50394->50357 50394->50364 50396 465294 50395->50396 50397 465299 50395->50397 50399 465297 50396->50399 50652 464d00 50396->50652 50737 464740 42 API calls 50397->50737 50399->50341 50400 4652a1 50400->50341 50403 464be7 50402->50403 50753 4763a0 50403->50753 50405 464bf9 50406 461558 20 API calls 50405->50406 50421 464c57 50405->50421 50408 464c07 50406->50408 50407 403400 4 API calls 50409 464c88 50407->50409 50410 40357c 4 API calls 50408->50410 50409->50341 50411 464c14 50410->50411 50412 40357c 4 API calls 50411->50412 50413 464c21 50412->50413 50414 40357c 4 API calls 50413->50414 50415 464c2e 50414->50415 50416 40357c 4 API calls 50415->50416 50417 464c3c 50416->50417 50418 414ab0 4 API calls 50417->50418 50419 464c4a 50418->50419 50420 461890 9 API calls 50419->50420 50420->50421 50421->50407 50423 4666fc 46 API calls 50422->50423 50424 47b16b 50423->50424 50425 47b174 50424->50425 50974 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50424->50974 50427 414a80 4 API calls 50425->50427 50428 47b184 50427->50428 50429 403450 4 API calls 50428->50429 50430 47b191 50429->50430 50801 4669e4 50430->50801 50433 47b1a1 50435 414a80 4 API calls 50433->50435 50436 47b1b1 50435->50436 50437 403450 4 API calls 50436->50437 50438 47b1be 50437->50438 50439 464528 SendMessageA 50438->50439 50440 47b1d7 50439->50440 50441 47b215 50440->50441 50976 472b2c 23 API calls 50440->50976 50443 424174 11 API calls 50441->50443 50444 47b21f 50443->50444 50445 47b245 50444->50445 50446 47b230 SetActiveWindow 50444->50446 50830 47a738 50445->50830 50446->50445 50493->50336 50494->50321 50495->50321 50496->50321 52485 43d058 50497->52485 50500 48becf 50503 48bede 50500->50503 52523 48b670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50500->52523 50501 48be56 52490 4312c8 50501->52490 50503->50341 50511 48bea0 52521 48b704 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50511->52521 50513 48bea7 52522 4334c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50513->52522 50515 48bec7 50515->50341 50516->50346 50517->50341 50539 466788 50518->50539 50643 42c5a4 50521->50643 50524 42c7d1 50526 403778 4 API calls 50524->50526 50525 42c7c8 50527 403400 4 API calls 50525->50527 50528 42c7cf 50526->50528 50527->50528 50528->50371 50529->50374 50530->50391 50531->50377 50646 42cba0 50532->50646 50535 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50535->50384 50536->50375 50537->50390 50538->50394 50540 414a80 4 API calls 50539->50540 50541 4667ba 50540->50541 50593 4615f0 50541->50593 50544 414ab0 4 API calls 50545 4667cc 50544->50545 50546 4667db 50545->50546 50548 4667f4 50545->50548 50622 477340 37 API calls 50546->50622 50550 46683b 50548->50550 50552 466822 50548->50552 50549 403420 4 API calls 50551 465c2a 50549->50551 50553 466898 50550->50553 50566 46683f 50550->50566 50551->50357 50551->50358 50623 477340 37 API calls 50552->50623 50625 42ca24 CharNextA 50553->50625 50556 4668a7 50557 4668ab 50556->50557 50561 4668c4 50556->50561 50626 477340 37 API calls 50557->50626 50559 46687f 50624 477340 37 API calls 50559->50624 50562 4668e8 50561->50562 50602 461760 50561->50602 50627 477340 37 API calls 50562->50627 50566->50559 50566->50561 50569 466901 50570 403778 4 API calls 50569->50570 50571 466917 50570->50571 50610 42c884 50571->50610 50574 466956 50576 42c7b4 5 API calls 50574->50576 50575 466928 50628 4617ec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50575->50628 50578 466961 50576->50578 50580 42c394 5 API calls 50578->50580 50579 46693b 50629 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50579->50629 50582 46696c 50580->50582 50585 42ca94 6 API calls 50582->50585 50583 466948 50630 477340 37 API calls 50583->50630 50587 466977 50585->50587 50586 4667ef 50586->50549 50614 46671c 50587->50614 50589 46697f 50590 42cc1c 7 API calls 50589->50590 50591 466987 50590->50591 50591->50586 50631 477340 37 API calls 50591->50631 50598 46160a 50593->50598 50594 406b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50594->50598 50596 42ca94 6 API calls 50596->50598 50597 403450 4 API calls 50597->50598 50598->50594 50598->50596 50598->50597 50599 461653 50598->50599 50632 42c994 50598->50632 50600 403420 4 API calls 50599->50600 50601 46166d 50600->50601 50601->50544 50603 46176a 50602->50603 50604 46177d 50603->50604 50605 461781 CharNextA 50603->50605 50604->50562 50606 461790 50604->50606 50605->50603 50607 46179a 50606->50607 50608 4617c7 50607->50608 50609 4617cb CharNextA 50607->50609 50608->50562 50608->50569 50609->50607 50611 42c8dc 50610->50611 50612 42c89a 50610->50612 50611->50574 50611->50575 50612->50611 50613 42c8cd CharNextA 50612->50613 50613->50612 50615 466781 50614->50615 50616 46672f 50614->50616 50615->50589 50616->50615 50617 41ee3c 2 API calls 50616->50617 50618 46673f 50617->50618 50619 466759 SHPathPrepareForWriteA 50618->50619 50620 41eef0 6 API calls 50619->50620 50621 466779 50620->50621 50621->50589 50622->50586 50623->50586 50624->50586 50625->50556 50626->50586 50627->50586 50628->50579 50629->50583 50630->50586 50631->50586 50633 403494 4 API calls 50632->50633 50634 42c9a4 50633->50634 50635 403744 4 API calls 50634->50635 50638 42c9da 50634->50638 50641 42c3d8 IsDBCSLeadByte 50634->50641 50635->50634 50637 42ca1e 50637->50598 50638->50637 50640 4037b8 4 API calls 50638->50640 50642 42c3d8 IsDBCSLeadByte 50638->50642 50640->50638 50641->50634 50642->50638 50644 42c5ac IsDBCSLeadByte 50643->50644 50645 42c5ab 50644->50645 50645->50524 50645->50525 50647 42ca94 6 API calls 50646->50647 50648 42cbc2 50647->50648 50649 42cbca GetFileAttributesA 50648->50649 50650 403400 4 API calls 50649->50650 50651 42cbe7 50650->50651 50651->50375 50651->50535 50654 464d47 50652->50654 50653 4651b3 50656 4651ce 50653->50656 50657 4651ff 50653->50657 50654->50653 50655 464e02 50654->50655 50660 403494 4 API calls 50654->50660 50659 464e1d 50655->50659 50663 464e5e 50655->50663 50661 403494 4 API calls 50656->50661 50658 403494 4 API calls 50657->50658 50662 46520d 50658->50662 50664 403494 4 API calls 50659->50664 50665 464d86 50660->50665 50666 4651dc 50661->50666 50750 463df8 10 API calls 50662->50750 50667 403400 4 API calls 50663->50667 50669 464e2b 50664->50669 50670 414a80 4 API calls 50665->50670 50749 463df8 10 API calls 50666->50749 50672 464e5c 50667->50672 50673 414a80 4 API calls 50669->50673 50674 464da7 50670->50674 50695 464f42 50672->50695 50738 464528 50672->50738 50677 464e4c 50673->50677 50678 403634 4 API calls 50674->50678 50675 4651ea 50676 403400 4 API calls 50675->50676 50681 465230 50676->50681 50683 403634 4 API calls 50677->50683 50679 464db7 50678->50679 50684 414a80 4 API calls 50679->50684 50687 403400 4 API calls 50681->50687 50682 464fc4 50685 403400 4 API calls 50682->50685 50683->50672 50688 464dcb 50684->50688 50689 464fc2 50685->50689 50686 464e7e 50690 464e84 50686->50690 50691 464ebc 50686->50691 50692 465238 50687->50692 50688->50655 50698 414a80 4 API calls 50688->50698 50744 464964 39 API calls 50689->50744 50693 403494 4 API calls 50690->50693 50696 403400 4 API calls 50691->50696 50694 403420 4 API calls 50692->50694 50699 464e92 50693->50699 50700 465245 50694->50700 50695->50682 50701 464f83 50695->50701 50697 464eba 50696->50697 50711 46481c 39 API calls 50697->50711 50702 464df2 50698->50702 50704 474c8c 39 API calls 50699->50704 50700->50399 50705 403494 4 API calls 50701->50705 50706 403634 4 API calls 50702->50706 50708 464eaa 50704->50708 50709 464f91 50705->50709 50706->50655 50707 464fed 50716 46504e 50707->50716 50717 464ff8 50707->50717 50712 403634 4 API calls 50708->50712 50710 414a80 4 API calls 50709->50710 50713 464fb2 50710->50713 50714 464ee3 50711->50714 50712->50697 50715 403634 4 API calls 50713->50715 50720 464f44 50714->50720 50721 464eee 50714->50721 50715->50689 50718 403400 4 API calls 50716->50718 50719 403494 4 API calls 50717->50719 50722 465056 50718->50722 50726 465006 50719->50726 50723 403400 4 API calls 50720->50723 50724 403494 4 API calls 50721->50724 50725 46504c 50722->50725 50736 4650ff 50722->50736 50723->50695 50729 464efc 50724->50729 50725->50722 50745 48bd38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50725->50745 50726->50722 50726->50725 50731 403634 4 API calls 50726->50731 50728 465079 50728->50736 50746 48bfa0 18 API calls 50728->50746 50729->50695 50732 403634 4 API calls 50729->50732 50731->50726 50732->50729 50734 4651a0 50748 4290dc SendMessageA SendMessageA 50734->50748 50747 42908c SendMessageA 50736->50747 50737->50400 50751 429fd8 SendMessageA 50738->50751 50740 464557 50740->50686 50741 464537 50741->50740 50752 429fd8 SendMessageA 50741->50752 50743 464547 50743->50686 50744->50707 50745->50728 50746->50736 50747->50734 50748->50653 50749->50675 50750->50675 50751->50741 50752->50743 50754 476404 50753->50754 50756 4763ce 50753->50756 50755 403420 4 API calls 50754->50755 50757 476505 50755->50757 50770 4540a0 50756->50770 50757->50405 50759 4764ce 50759->50405 50760 4723e4 19 API calls 50763 4763f8 50760->50763 50761 474c8c 39 API calls 50761->50763 50762 474c8c 39 API calls 50766 47647c 50762->50766 50763->50754 50763->50759 50763->50760 50763->50761 50763->50766 50777 475f60 31 API calls 50763->50777 50765 42c814 5 API calls 50765->50766 50766->50762 50766->50763 50766->50765 50769 4764bb 50766->50769 50778 42c83c 50766->50778 50783 4760ac 52 API calls 50766->50783 50769->50754 50771 4540b1 50770->50771 50772 4540b5 50771->50772 50773 4540be 50771->50773 50784 453da4 50772->50784 50792 453e84 29 API calls 50773->50792 50776 4540bb 50776->50763 50777->50763 50779 42c684 IsDBCSLeadByte 50778->50779 50780 42c84c 50779->50780 50781 403778 4 API calls 50780->50781 50782 42c85d 50781->50782 50782->50766 50783->50766 50785 42dc34 RegOpenKeyExA 50784->50785 50786 453dc1 50785->50786 50787 453e0f 50786->50787 50793 453cd8 50786->50793 50787->50776 50790 453cd8 6 API calls 50791 453df0 RegCloseKey 50790->50791 50791->50776 50792->50776 50798 42db70 50793->50798 50795 403420 4 API calls 50796 453d8a 50795->50796 50796->50790 50797 453d00 50797->50795 50799 42da30 6 API calls 50798->50799 50800 42db79 50799->50800 50800->50797 50802 466a0d 50801->50802 50803 466a5a 50802->50803 50804 414a80 4 API calls 50802->50804 50806 403420 4 API calls 50803->50806 50805 466a23 50804->50805 50982 46167c 6 API calls 50805->50982 50808 466b04 50806->50808 50808->50433 50975 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50808->50975 50809 466a2b 50810 414ab0 4 API calls 50809->50810 50811 466a39 50810->50811 50812 466a46 50811->50812 50815 466a5f 50811->50815 50983 477340 37 API calls 50812->50983 50814 466a77 50984 477340 37 API calls 50814->50984 50815->50814 50816 461760 CharNextA 50815->50816 50818 466a73 50816->50818 50818->50814 50819 466a8d 50818->50819 50820 466a93 50819->50820 50821 466aa9 50819->50821 50985 477340 37 API calls 50820->50985 50822 42c884 CharNextA 50821->50822 50824 466ab6 50822->50824 50824->50803 50986 4617ec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50824->50986 50826 466acd 50987 45055c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50826->50987 50828 466ada 50988 477340 37 API calls 50828->50988 50831 47a789 50830->50831 50832 47a75b 50830->50832 50834 46f210 50831->50834 50989 48bd54 18 API calls 50832->50989 50835 4557f0 23 API calls 50834->50835 50836 46f25c 50835->50836 50990 407238 50836->50990 50838 46f266 50993 468248 50838->50993 50843 474c8c 39 API calls 50844 46f2c2 50843->50844 50846 46f2d2 50844->50846 51384 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50844->51384 50847 46f2e9 50846->50847 51385 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50846->51385 50849 471c34 20 API calls 50847->50849 50850 46f2f4 50849->50850 50851 403450 4 API calls 50850->50851 50852 46f311 50851->50852 50853 403450 4 API calls 50852->50853 50854 46f31f 50853->50854 51003 468830 50854->51003 50858 46f385 51039 46f168 50858->51039 50865 4683b8 17 API calls 50866 46f3a9 50865->50866 51055 46e428 50866->51055 50869 4683b8 17 API calls 50870 46f3b3 50869->50870 50871 46f3d7 50870->50871 50872 4579d4 4 API calls 50870->50872 50873 46f3f8 50871->50873 50874 4579d4 4 API calls 50871->50874 50872->50871 51068 46e520 50873->51068 50874->50873 50877 4683b8 17 API calls 50878 46f404 50877->50878 51079 46821c 50878->51079 50976->50441 50982->50809 50983->50803 50984->50803 50985->50803 50986->50826 50987->50828 50988->50803 50989->50831 50991 403738 50990->50991 50992 407242 SetCurrentDirectoryA 50991->50992 50992->50838 50998 46826f 50993->50998 50994 4682ec 51392 44ef60 50994->51392 50995 4723e4 19 API calls 50995->50998 50998->50994 50998->50995 50999 457918 51000 45791e 50999->51000 51001 457be0 4 API calls 51000->51001 51002 45793a 51001->51002 51002->50843 51004 46886e 51003->51004 51005 46885e 51003->51005 51006 403400 4 API calls 51004->51006 51007 403494 4 API calls 51005->51007 51008 46886c 51006->51008 51007->51008 51009 4538f4 5 API calls 51008->51009 51010 468882 51009->51010 51011 453930 5 API calls 51010->51011 51012 468890 51011->51012 51013 468808 5 API calls 51012->51013 51014 4688a4 51013->51014 51015 4579d4 4 API calls 51014->51015 51016 4688bc 51015->51016 51017 403420 4 API calls 51016->51017 51018 4688d6 51017->51018 51019 403400 4 API calls 51018->51019 51020 4688de 51019->51020 51021 4688f0 51020->51021 51022 4034e0 4 API calls 51021->51022 51023 468927 51022->51023 51024 468930 51023->51024 51025 46893f 51023->51025 51027 474c8c 39 API calls 51024->51027 51026 403400 4 API calls 51025->51026 51028 46893d 51026->51028 51027->51028 51029 474c8c 39 API calls 51028->51029 51030 468962 51029->51030 51031 474c8c 39 API calls 51030->51031 51032 4689b4 51031->51032 51033 4579d4 4 API calls 51032->51033 51034 4689cc 51033->51034 51035 403400 4 API calls 51034->51035 51036 4689e1 51035->51036 51037 403420 4 API calls 51036->51037 51038 4689ee 51037->51038 51038->50858 51040 46f1a9 51039->51040 51041 46f178 51039->51041 51043 4683b8 51040->51043 51041->51040 51042 4722a4 19 API calls 51041->51042 51042->51041 51044 4683c6 51043->51044 51045 4683c1 51043->51045 51401 424444 51044->51401 51405 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51045->51405 51049 4683de 51051 46f1bc 51049->51051 51052 46f1ff 51051->51052 51053 46f1cc 51051->51053 51052->50865 51053->51052 51054 4722a4 19 API calls 51053->51054 51054->51053 51056 46e4fd 51055->51056 51062 46e44f 51055->51062 51057 403400 4 API calls 51056->51057 51058 46e512 51057->51058 51058->50869 51059 4722a4 19 API calls 51059->51062 51062->51056 51062->51059 51063 46e49f 51062->51063 51439 476518 51062->51439 51443 471f38 51062->51443 51448 471f64 19 API calls 51062->51448 51063->51062 51064 474c8c 39 API calls 51063->51064 51446 4525d8 20 API calls 51063->51446 51447 4525d8 20 API calls 51063->51447 51064->51063 51069 46e5df 51068->51069 51076 46e54e 51068->51076 51070 403400 4 API calls 51069->51070 51071 46e5f4 51070->51071 51071->50877 51072 4722a4 19 API calls 51072->51076 51073 476518 15 API calls 51073->51076 51074 471f38 19 API calls 51074->51076 51075 474c8c 39 API calls 51075->51076 51076->51069 51076->51072 51076->51073 51076->51074 51076->51075 51077 4579d4 4 API calls 51076->51077 51458 471f64 19 API calls 51076->51458 51077->51076 51080 414ab0 4 API calls 51079->51080 51081 46822e 51080->51081 51459 4681a4 51081->51459 51084 469994 51489 46956c 51084->51489 51384->50846 51385->50847 51395 44ef74 51392->51395 51396 44ef85 51395->51396 51397 44efa6 MulDiv 51396->51397 51398 44ef71 51396->51398 51399 418178 51397->51399 51398->50999 51400 44efd1 SendMessageA 51399->51400 51400->51398 51402 424447 51401->51402 51404 424452 51402->51404 51407 424394 PeekMessageA 51402->51407 51404->51049 51406 408b70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51404->51406 51408 4243b7 51407->51408 51409 424438 51407->51409 51408->51409 51419 424364 51408->51419 51409->51402 51418 424422 TranslateMessage DispatchMessageA 51418->51409 51420 424375 51419->51420 51421 42438c 51419->51421 51420->51421 51438 424c50 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 51420->51438 51421->51409 51423 4242b0 51421->51423 51424 4242c0 51423->51424 51425 4242fa 51423->51425 51424->51425 51426 4242e7 TranslateMDISysAccel 51424->51426 51425->51409 51427 424300 51425->51427 51426->51425 51428 424315 51427->51428 51429 42435c 51427->51429 51428->51429 51430 42431d GetCapture 51428->51430 51429->51409 51435 42428c 51429->51435 51430->51429 51431 424326 51430->51431 51432 42433f SendMessageA 51431->51432 51433 424338 51431->51433 51432->51429 51434 42435a 51432->51434 51433->51432 51434->51429 51436 42429f IsDialogMessage 51435->51436 51437 4242ac 51435->51437 51436->51437 51437->51409 51437->51418 51438->51421 51440 4765bf 51439->51440 51441 47652c 51439->51441 51440->51062 51441->51440 51449 454f50 15 API calls 51441->51449 51450 471e94 51443->51450 51446->51063 51447->51062 51448->51062 51449->51440 51451 471ea0 51450->51451 51452 471ec8 51450->51452 51453 471ec1 51451->51453 51456 451940 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51451->51456 51452->51062 51457 471d54 19 API calls 51453->51457 51456->51453 51457->51452 51458->51076 51466 42e89c 7427A570 51459->51466 51461 4681da 51462 414ab0 4 API calls 51461->51462 51463 4681e4 51462->51463 51464 403400 4 API calls 51463->51464 51465 46820d 51464->51465 51465->51084 51467 41a180 5 API calls 51466->51467 51468 42e8e4 SelectObject 51467->51468 51469 403494 4 API calls 51468->51469 51470 42e8f7 51469->51470 51471 42c83c 5 API calls 51470->51471 51472 42e901 51471->51472 51473 42c814 5 API calls 51472->51473 51474 42e90b 51473->51474 51475 42c5a4 IsDBCSLeadByte 51474->51475 51476 42e913 51475->51476 51477 403778 4 API calls 51476->51477 51478 42e943 51477->51478 51479 4037b8 4 API calls 51478->51479 51482 42e952 51479->51482 51480 42e9b4 7427A480 51480->51461 51482->51480 51484 403634 4 API calls 51482->51484 51485 403400 4 API calls 51482->51485 51486 403494 4 API calls 51482->51486 51487 42e7e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51482->51487 51488 42e454 6 API calls 51482->51488 51484->51482 51485->51482 51486->51482 51487->51482 51488->51482 51490 469593 51489->51490 51491 42c6ec 5 API calls 51490->51491 51492 4695b0 51491->51492 51493 42ca94 6 API calls 51492->51493 51494 4695bb 51493->51494 51495 403494 4 API calls 51494->51495 51496 4695c6 51495->51496 51497 42c814 5 API calls 51496->51497 51498 4695d1 51497->51498 51499 4696f0 51498->51499 51537 450f7c 51498->51537 51500 403420 4 API calls 51499->51500 51502 469753 51500->51502 51504 403420 4 API calls 51502->51504 51503 4695e5 51506 469760 51504->51506 51538 450d20 2 API calls 51537->51538 51539 450f92 51538->51539 51540 450f96 51539->51540 51541 42cc1c 7 API calls 51539->51541 51540->51503 52524 4315e4 52485->52524 52487 403400 4 API calls 52488 43d106 52487->52488 52488->50500 52488->50501 52489 43d082 52489->52487 52491 4312ce 52490->52491 52492 402648 4 API calls 52491->52492 52493 4312fe 52492->52493 52494 48b8a0 52493->52494 52495 48b975 52494->52495 52499 48b8ba 52494->52499 52501 48b9b8 52495->52501 52497 433464 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52497->52499 52499->52495 52499->52497 52500 403450 4 API calls 52499->52500 52529 408b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52499->52529 52530 431398 52499->52530 52500->52499 52502 48b9d4 52501->52502 52538 433464 52502->52538 52504 48b9d9 52505 431398 4 API calls 52504->52505 52506 48b9e4 52505->52506 52507 43cc24 52506->52507 52508 43cc51 52507->52508 52513 43cc43 52507->52513 52508->50511 52509 43cccd 52517 43cd87 52509->52517 52541 4466f4 52509->52541 52511 43cd18 52547 43d3e0 52511->52547 52513->52508 52513->52509 52514 4466f4 4 API calls 52513->52514 52514->52513 52515 43cf8d 52515->52508 52567 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52515->52567 52517->52515 52518 43cf6e 52517->52518 52565 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52517->52565 52566 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52518->52566 52521->50513 52522->50515 52523->50503 52525 403494 4 API calls 52524->52525 52526 4315f3 52525->52526 52527 43161d 52526->52527 52528 403744 4 API calls 52526->52528 52527->52489 52528->52526 52529->52499 52531 4313a6 52530->52531 52532 4313b8 52530->52532 52536 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52531->52536 52534 4313da 52532->52534 52537 431338 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52532->52537 52534->52499 52536->52532 52537->52534 52539 402648 4 API calls 52538->52539 52540 433473 52539->52540 52540->52504 52542 446713 52541->52542 52543 44671a 52541->52543 52568 4464c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52542->52568 52545 431398 4 API calls 52543->52545 52546 44672a 52545->52546 52546->52511 52548 43d3fc 52547->52548 52560 43d429 52547->52560 52549 402660 4 API calls 52548->52549 52548->52560 52549->52548 52550 43d45e 52550->52517 52552 43f535 52552->52550 52573 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52552->52573 52553 43bfc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52553->52560 52555 446694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52555->52560 52559 433410 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52559->52560 52560->52550 52560->52552 52560->52553 52560->52555 52560->52559 52561 433210 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52561 52562 435ce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52562 52563 431338 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52563 52564 4464c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52564 52569 4364dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52569 52570 438d70 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52570 52571 43d2d8 18 API calls 52560->52571 52572 43342c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52560->52572 52561->52560 52562->52560 52563->52560 52564->52560 52565->52517 52566->52515 52567->52515 52568->52543 52569->52560 52570->52560 52571->52560 52572->52560 52573->52552 52574 416ada 52575 416b82 52574->52575 52576 416af2 52574->52576 52593 4152b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52575->52593 52578 416b00 52576->52578 52579 416b0c SendMessageA 52576->52579 52580 416b26 52578->52580 52581 416b0a CallWindowProcA 52578->52581 52589 416b60 52579->52589 52590 419ff0 GetSysColor 52580->52590 52581->52589 52584 416b31 SetTextColor 52585 416b46 52584->52585 52591 419ff0 GetSysColor 52585->52591 52587 416b4b SetBkColor 52592 41a678 GetSysColor CreateBrushIndirect 52587->52592 52590->52584 52591->52587 52592->52589 52593->52589 52594 434fd8 52595 434fed 52594->52595 52599 435007 52595->52599 52600 4349c0 52595->52600 52604 434a0a 52600->52604 52607 4349f0 52600->52607 52601 403400 4 API calls 52602 434e0f 52601->52602 52602->52599 52613 434e20 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52602->52613 52603 446434 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52603->52607 52604->52601 52605 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52605->52607 52606 402648 4 API calls 52606->52607 52607->52603 52607->52604 52607->52605 52607->52606 52608 431398 4 API calls 52607->52608 52610 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52607->52610 52611 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52607->52611 52614 433aa8 52607->52614 52626 43426c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52607->52626 52608->52607 52610->52607 52611->52607 52613->52599 52615 433b65 52614->52615 52616 433ad5 52614->52616 52645 433a08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52615->52645 52617 403494 4 API calls 52616->52617 52619 433ae3 52617->52619 52621 403778 4 API calls 52619->52621 52620 403400 4 API calls 52622 433bb5 52620->52622 52624 433b04 52621->52624 52622->52607 52623 433b57 52623->52620 52624->52623 52627 48b9ec 52624->52627 52626->52607 52628 48babc 52627->52628 52629 48ba24 52627->52629 52646 447fa0 52628->52646 52630 403494 4 API calls 52629->52630 52635 48ba2f 52630->52635 52632 48ba3f 52633 403400 4 API calls 52632->52633 52634 48bae0 52633->52634 52636 403400 4 API calls 52634->52636 52635->52632 52637 4037b8 4 API calls 52635->52637 52638 48bae8 52636->52638 52639 48ba58 52637->52639 52638->52624 52639->52632 52640 4037b8 4 API calls 52639->52640 52641 48ba7b 52640->52641 52642 403778 4 API calls 52641->52642 52643 48baac 52642->52643 52644 403634 4 API calls 52643->52644 52644->52628 52645->52623 52647 447fc5 52646->52647 52648 448008 52646->52648 52649 403494 4 API calls 52647->52649 52650 44801c 52648->52650 52658 447b9c 52648->52658 52651 447fd0 52649->52651 52653 403400 4 API calls 52650->52653 52655 4037b8 4 API calls 52651->52655 52654 44804f 52653->52654 52654->52632 52656 447fec 52655->52656 52657 4037b8 4 API calls 52656->52657 52657->52648 52659 403494 4 API calls 52658->52659 52660 447bd2 52659->52660 52661 4037b8 4 API calls 52660->52661 52662 447be4 52661->52662 52663 403778 4 API calls 52662->52663 52664 447c05 52663->52664 52665 4037b8 4 API calls 52664->52665 52666 447c1d 52665->52666 52667 403778 4 API calls 52666->52667 52668 447c48 52667->52668 52669 4037b8 4 API calls 52668->52669 52680 447c60 52669->52680 52670 447c98 52672 403420 4 API calls 52670->52672 52671 447d33 52675 447d3b GetProcAddress 52671->52675 52676 447d78 52672->52676 52673 447cbb LoadLibraryExA 52673->52680 52674 447ccd LoadLibraryA 52674->52680 52677 447d4e 52675->52677 52676->52650 52677->52670 52678 403b80 4 API calls 52678->52680 52679 403450 4 API calls 52679->52680 52680->52670 52680->52671 52680->52673 52680->52674 52680->52678 52680->52679 52682 43d118 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52680->52682 52682->52680 52683 447d98 52684 447dc6 52683->52684 52685 447dcd 52683->52685 52689 403400 4 API calls 52684->52689 52686 447de1 52685->52686 52687 447b9c 7 API calls 52685->52687 52686->52684 52688 403494 4 API calls 52686->52688 52687->52686 52691 447dfa 52688->52691 52690 447f77 52689->52690 52692 4037b8 4 API calls 52691->52692 52693 447e16 52692->52693 52694 4037b8 4 API calls 52693->52694 52695 447e32 52694->52695 52695->52684 52696 447e46 52695->52696 52697 4037b8 4 API calls 52696->52697 52698 447e60 52697->52698 52699 4312c8 4 API calls 52698->52699 52700 447e82 52699->52700 52701 447ea2 52700->52701 52702 431398 4 API calls 52700->52702 52704 447ee0 52701->52704 52726 442c60 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52701->52726 52702->52700 52703 447ef8 52715 4419c4 52703->52715 52704->52703 52727 442c60 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52704->52727 52708 447f2c GetLastError 52728 447b30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52708->52728 52710 447f3b 52729 442ca0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52710->52729 52712 447f50 52730 442cb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52712->52730 52714 447f58 52716 4429a2 52715->52716 52717 4419fd 52715->52717 52718 403400 4 API calls 52716->52718 52719 403400 4 API calls 52717->52719 52720 4429b7 52718->52720 52721 441a05 52719->52721 52720->52708 52722 4312c8 4 API calls 52721->52722 52723 441a11 52722->52723 52724 442992 52723->52724 52731 44109c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52723->52731 52724->52708 52726->52701 52727->52703 52728->52710 52729->52712 52730->52714 52731->52723 55167 40cdbc 55170 406ea0 WriteFile 55167->55170 55171 406ebd 55170->55171 52732 4165dc 52733 416643 52732->52733 52734 4165e9 52732->52734 52739 4164e8 CreateWindowExA 52734->52739 52735 4165f0 SetPropA SetPropA 52735->52733 52736 416623 52735->52736 52737 416636 SetWindowPos 52736->52737 52737->52733 52739->52735 55172 42227c 55173 42228b 55172->55173 55178 42120c 55173->55178 55176 4222ab 55179 42127b 55178->55179 55192 42121b 55178->55192 55182 42128c 55179->55182 55203 412468 GetMenuItemCount GetMenuStringA GetMenuState 55179->55203 55181 4212ba 55183 42132d 55181->55183 55190 4212d5 55181->55190 55182->55181 55185 421352 55182->55185 55184 42132b 55183->55184 55193 421341 55183->55193 55186 42137e 55184->55186 55205 421dc4 11 API calls 55184->55205 55185->55184 55189 421366 SetMenu 55185->55189 55206 421154 10 API calls 55186->55206 55189->55184 55190->55184 55196 4212f8 GetMenu 55190->55196 55191 421385 55191->55176 55201 422180 10 API calls 55191->55201 55192->55179 55202 408cbc 19 API calls 55192->55202 55195 42134a SetMenu 55193->55195 55195->55184 55197 421302 55196->55197 55198 42131b 55196->55198 55200 421315 SetMenu 55197->55200 55204 412468 GetMenuItemCount GetMenuStringA GetMenuState 55198->55204 55200->55198 55201->55176 55202->55192 55203->55182 55204->55184 55205->55186 55206->55191

                                                                                  Executed Functions

                                                                                  Function 0046A284 Relevance: 76.2, APIs: 4, Strings: 39, Instructions: 906timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LocalFileTimeToFileTime.KERNEL32(-00000034,?,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000,?,0046BDAE), ref: 0046A4EA
                                                                                    • Part of subcall function 004530B0: FindClose.KERNEL32(00000000,000000FF,0046A501,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000), ref: 004530C6
                                                                                    • Part of subcall function 004684DC: FileTimeToLocalFileTime.KERNEL32(?), ref: 004684E4
                                                                                    • Part of subcall function 004684DC: FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004684F3
                                                                                    • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                    • Part of subcall function 004529E0: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452B07
                                                                                  Strings
                                                                                  • Incrementing shared file count (32-bit)., xrefs: 0046B108
                                                                                  • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046A841
                                                                                  • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046A85C
                                                                                  • Existing file has a later time stamp. Skipping., xrefs: 0046A95B
                                                                                  • Time stamp of our file: %s, xrefs: 0046A530
                                                                                  • Existing file is a newer version. Skipping., xrefs: 0046A797
                                                                                  • Time stamp of our file: (failed to read), xrefs: 0046A53C
                                                                                  • Time stamp of existing file: (failed to read), xrefs: 0046A5CC
                                                                                  • Version of our file: (none), xrefs: 0046A691
                                                                                  • Dest filename: %s, xrefs: 0046A429
                                                                                  • Will register the file (a DLL/OCX) later., xrefs: 0046B082
                                                                                  • Non-default bitness: 64-bit, xrefs: 0046A444
                                                                                  • @, xrefs: 0046A384
                                                                                  • .tmp, xrefs: 0046AB43
                                                                                  • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046A563
                                                                                  • Couldn't read time stamp. Skipping., xrefs: 0046A8C1
                                                                                  • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046AA22
                                                                                  • Will register the file (a type library) later., xrefs: 0046B076
                                                                                  • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046A850
                                                                                  • Dest file is protected by Windows File Protection., xrefs: 0046A482
                                                                                  • , xrefs: 0046A764, 0046A92C, 0046A9AA
                                                                                  • Incrementing shared file count (64-bit)., xrefs: 0046B0EF
                                                                                  • -- File entry --, xrefs: 0046A2D7
                                                                                  • InUn, xrefs: 0046ACD1
                                                                                  • User opted not to overwrite the existing file. Skipping., xrefs: 0046A9D9
                                                                                  • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046AA86
                                                                                  • Same version. Skipping., xrefs: 0046A871
                                                                                  • Version of existing file: %u.%u.%u.%u, xrefs: 0046A711
                                                                                  • Same time stamp. Skipping., xrefs: 0046A8E1
                                                                                  • Uninstaller requires administrator: %s, xrefs: 0046AD01
                                                                                  • Stripped read-only attribute., xrefs: 0046AA53
                                                                                  • Installing the file., xrefs: 0046AA95
                                                                                  • Version of our file: %u.%u.%u.%u, xrefs: 0046A685
                                                                                  • Failed to strip read-only attribute., xrefs: 0046AA5F
                                                                                  • Dest file exists., xrefs: 0046A550
                                                                                  • Non-default bitness: 32-bit, xrefs: 0046A450
                                                                                  • Time stamp of existing file: %s, xrefs: 0046A5C0
                                                                                  • Version of existing file: (none), xrefs: 0046A886
                                                                                  • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046A978
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$Local$CloseFindFullNamePathQuerySystemValue
                                                                                  • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                  • API String ID: 2131814033-2943590984
                                                                                  • Opcode ID: 3fdf83b18051d9a47e42d4fa58cd6ed3722659d7104968c675422b1d0dc0660e
                                                                                  • Instruction ID: 6336488f7475e0465b407838a80b096eb610c46dcf3f2914a726d1c87adbe53b
                                                                                  • Opcode Fuzzy Hash: 3fdf83b18051d9a47e42d4fa58cd6ed3722659d7104968c675422b1d0dc0660e
                                                                                  • Instruction Fuzzy Hash: 2B928130A042489FDB11DFA5C495BDDBBB1AF05308F1440ABE944BB392E7789E85CF5A
                                                                                  Function 00423BA4 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1500 423ba4-423bd8 1501 423bda-423bdb 1500->1501 1502 423c0c-423c23 call 423b00 1500->1502 1503 423bdd-423bf9 call 40b3d4 1501->1503 1507 423c84-423c89 1502->1507 1508 423c25 1502->1508 1536 423bfb-423c03 1503->1536 1537 423c08-423c0a 1503->1537 1512 423c8b 1507->1512 1513 423cbf-423cc4 1507->1513 1510 423c2b-423c2e 1508->1510 1511 423ce8-423cf8 1508->1511 1516 423c30 1510->1516 1517 423c5d-423c60 1510->1517 1520 423d03-423d0b call 42412c 1511->1520 1521 423cfa-423cff 1511->1521 1514 423c91-423c99 1512->1514 1515 423f49-423f51 1512->1515 1518 424032-424040 IsIconic 1513->1518 1519 423cca-423ccd 1513->1519 1523 423eab-423ed2 SendMessageA 1514->1523 1524 423c9f-423ca4 1514->1524 1526 4240ea-4240f2 1515->1526 1531 423f57-423f62 call 418178 1515->1531 1527 423c36-423c39 1516->1527 1528 423d8e-423d9e call 423b1c 1516->1528 1532 423d41-423d48 1517->1532 1533 423c66-423c67 1517->1533 1525 424046-424051 GetFocus 1518->1525 1518->1526 1529 423cd3-423cd4 1519->1529 1530 42406e-424083 call 4247e8 1519->1530 1520->1526 1534 423d10-423d18 call 424174 1521->1534 1535 423d01-423d24 call 423b1c 1521->1535 1523->1526 1539 423fe2-423fed 1524->1539 1540 423caa-423cab 1524->1540 1525->1526 1548 424057-424060 call 41ef8c 1525->1548 1541 424109-42410f 1526->1541 1549 423db6-423dd2 PostMessageA call 423b1c 1527->1549 1550 423c3f-423c42 1527->1550 1528->1526 1543 424085-42408c 1529->1543 1544 423cda-423cdd 1529->1544 1530->1526 1531->1526 1592 423f68-423f77 call 418178 IsWindowEnabled 1531->1592 1532->1526 1553 423d4e-423d55 1532->1553 1554 423ed7-423ede 1533->1554 1555 423c6d-423c70 1533->1555 1534->1526 1535->1526 1536->1541 1537->1502 1537->1503 1539->1526 1559 423ff3-424005 1539->1559 1556 423cb1-423cb4 1540->1556 1557 42400a-424015 1540->1557 1570 4240a3-4240b6 call 4244c4 1543->1570 1571 42408e-4240a1 call 42446c 1543->1571 1560 423ce3 1544->1560 1561 4240b8-4240bf 1544->1561 1548->1526 1605 424066-42406c SetFocus 1548->1605 1549->1526 1567 423c48-423c4b 1550->1567 1568 423e3d-423e44 1550->1568 1553->1526 1573 423d5b-423d61 1553->1573 1554->1526 1563 423ee4-423ee9 call 404e54 1554->1563 1574 423c76-423c79 1555->1574 1575 423dd7-423df7 call 423b1c 1555->1575 1578 423cba 1556->1578 1579 423eee-423ef6 1556->1579 1557->1526 1581 42401b-42402d 1557->1581 1559->1526 1580 4240e3-4240e4 call 423b1c 1560->1580 1576 4240d2-4240e1 1561->1576 1577 4240c1-4240d0 1561->1577 1563->1526 1587 423c51-423c52 1567->1587 1588 423d66-423d74 IsIconic 1567->1588 1589 423e46-423e59 call 423aac 1568->1589 1590 423e77-423e88 call 423b1c 1568->1590 1570->1526 1571->1526 1573->1526 1593 423da3-423db1 call 424110 1574->1593 1594 423c7f 1574->1594 1620 423e1b-423e38 call 423a1c PostMessageA 1575->1620 1621 423df9-423e16 call 423aac PostMessageA 1575->1621 1576->1526 1577->1526 1578->1580 1579->1526 1603 423efc-423f03 1579->1603 1616 4240e9 1580->1616 1581->1526 1606 423c58 1587->1606 1607 423d29-423d31 1587->1607 1596 423d82-423d89 call 423b1c 1588->1596 1597 423d76-423d7d call 423b58 1588->1597 1634 423e6b-423e72 call 423b1c 1589->1634 1635 423e5b-423e65 call 41eef0 1589->1635 1628 423e8a-423e90 call 41ee3c 1590->1628 1629 423e9e-423ea6 call 423a1c 1590->1629 1592->1526 1625 423f7d-423f8c call 418178 IsWindowVisible 1592->1625 1593->1526 1594->1580 1596->1526 1597->1526 1603->1526 1619 423f09-423f18 call 418178 IsWindowEnabled 1603->1619 1605->1526 1606->1580 1607->1526 1622 423d37-423d3c call 422be4 1607->1622 1616->1526 1619->1526 1649 423f1e-423f34 call 4122a8 1619->1649 1620->1526 1621->1526 1622->1526 1625->1526 1651 423f92-423fdd GetFocus call 418178 SetFocus call 4151d8 SetFocus 1625->1651 1647 423e95-423e98 1628->1647 1629->1526 1634->1526 1635->1634 1647->1629 1649->1526 1656 423f3a-423f44 1649->1656 1651->1526 1656->1526
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: de7b7f7f6f0e45f39f4c4f25e6367e04e63d65c7eb0eaf5b5c68f4929e1db6c2
                                                                                  • Instruction ID: f04fb3084d0a65edbfcfad19f7d8c46e112c92b03ef581d164a2f2d40213a873
                                                                                  • Opcode Fuzzy Hash: de7b7f7f6f0e45f39f4c4f25e6367e04e63d65c7eb0eaf5b5c68f4929e1db6c2
                                                                                  • Instruction Fuzzy Hash: B3E18E34700124EFD710DF6AE595A5A77F4EB48305FA480AAE545AB352C73DEF82DB08
                                                                                  Function 004620A8 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1620windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1867 4620a8-4620be 1868 4620c0-4620c3 call 402d30 1867->1868 1869 4620c8-46217f call 48c764 call 402b30 * 6 1867->1869 1868->1869 1886 462181-4621a8 call 4145d4 1869->1886 1887 4621bc-4621d5 1869->1887 1891 4621ad-4621b7 call 414594 1886->1891 1892 4621aa 1886->1892 1893 4621d7-4621fe call 4145b4 1887->1893 1894 462212-462220 call 48c998 1887->1894 1891->1887 1892->1891 1902 462203-46220d call 414574 1893->1902 1903 462200 1893->1903 1900 462222-462231 call 48c854 1894->1900 1901 462233-462235 call 48c978 1894->1901 1908 46223a-46228d call 48c414 call 41a368 * 2 1900->1908 1901->1908 1902->1894 1903->1902 1915 46229e-4622b3 call 45055c call 414ab0 1908->1915 1916 46228f-46229c call 414ab0 1908->1916 1921 4622b8-4622bf 1915->1921 1916->1921 1923 462307-46278d call 48c7a4 call 48ca54 call 4145b4 * 3 call 414654 call 414574 * 3 call 45c1e0 call 45c1f8 call 45c204 call 45c24c call 45c1e0 call 45c1f8 call 45c204 call 45c24c call 45c1f8 call 45c24c LoadBitmapA call 41d648 call 45c21c call 45c234 call 461f04 call 463930 call 461558 call 40357c call 414ab0 call 461890 call 4618c0 call 461558 call 40357c * 2 call 414ab0 call 463930 call 461558 call 414ab0 call 461890 call 4618c0 call 414ab0 * 2 call 463930 call 414ab0 * 2 call 461890 call 414594 call 461890 call 414594 call 463930 call 414ab0 call 461890 call 4618c0 call 463930 call 414ab0 call 461890 call 414594 * 2 call 414ab0 call 461890 call 414594 1921->1923 1924 4622c1-462302 call 414654 call 414698 call 420f30 call 420f5c call 420b00 call 420b2c 1921->1924 2054 46278f-4627e7 call 414594 call 414ab0 call 461890 call 414594 1923->2054 2055 4627e9-462802 call 4149dc * 2 1923->2055 1924->1923 2062 462807-4628b8 call 461558 call 463930 call 461558 call 414ab0 call 48ca54 call 461890 2054->2062 2055->2062 2081 4628f2-462b16 call 461558 call 414ab0 call 48ca64 * 2 call 42e648 call 414594 call 461890 call 414594 call 414ab0 call 48c7a4 call 48ca54 call 4145b4 call 461558 call 414ab0 call 461890 call 414594 call 461558 call 463930 call 461558 call 414ab0 call 461890 call 414594 call 4618c0 call 461558 call 414ab0 call 461890 2062->2081 2082 4628ba-4628d5 2062->2082 2139 462b57-462c10 call 461558 call 463930 call 461558 call 414ab0 call 48ca54 call 461890 2081->2139 2140 462b18-462b21 2081->2140 2083 4628d7 2082->2083 2084 4628da-4628ed call 414594 2082->2084 2083->2084 2084->2081 2158 462c12-462c2d 2139->2158 2159 462c4a-46306b call 461558 call 414ab0 call 48ca64 * 2 call 42e648 call 414594 call 461890 call 414594 call 414ab0 call 48c7a4 call 48ca54 call 4145b4 call 414ab0 call 461558 call 463930 call 461558 call 414ab0 call 461890 call 4618c0 call 42bb68 call 48ca64 call 44de18 call 461558 call 463930 call 461558 call 463930 call 461558 call 463930 * 2 call 414ab0 call 461890 call 4618c0 call 463930 call 48c414 call 41a368 call 461558 call 40357c call 414ab0 call 461890 call 414594 call 414ab0 * 2 call 48ca64 call 403494 call 40357c * 2 call 414ab0 2139->2159 2140->2139 2141 462b23-462b52 call 4149dc call 4618c0 2140->2141 2141->2139 2160 462c32-462c45 call 414594 2158->2160 2161 462c2f 2158->2161 2258 46308f-463096 2159->2258 2259 46306d-46308a call 44f34c call 44f480 2159->2259 2160->2159 2161->2160 2260 4630ba-4630c1 2258->2260 2261 463098-4630b5 call 44f34c call 44f480 2258->2261 2259->2258 2264 4630e5-463136 call 418178 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 463a24 2260->2264 2265 4630c3-4630e0 call 44f34c call 44f480 2260->2265 2261->2260 2279 4631df-4631e6 2264->2279 2280 46313c-463145 2264->2280 2265->2264 2283 4631ec-46320f call 474c8c call 403450 2279->2283 2284 46327a-463288 call 414ab0 2279->2284 2281 463147-46319e call 474c8c call 414ab0 call 474c8c call 414ab0 call 474c8c call 414ab0 2280->2281 2282 4631a0-4631da call 414ab0 * 3 2280->2282 2281->2279 2282->2279 2307 463221-463235 call 403494 2283->2307 2308 463211-46321f call 403494 2283->2308 2292 46328d-463296 2284->2292 2296 4633a6-4633d5 call 42b904 call 44dda4 2292->2296 2297 46329c-4632b4 call 429f70 2292->2297 2326 463483-463487 2296->2326 2327 4633db-4633df 2296->2327 2309 4632b6-4632ba 2297->2309 2310 46332b-46332f 2297->2310 2322 463247-463278 call 42c6ec call 42ca94 call 403494 call 414ab0 2307->2322 2323 463237-463242 call 403494 2307->2323 2308->2322 2317 4632bc-4632f6 call 40b3d4 call 474c8c 2309->2317 2315 463331-46333a 2310->2315 2316 46337f-463383 2310->2316 2315->2316 2324 46333c-463347 2315->2324 2329 463397-4633a1 call 429ff4 2316->2329 2330 463385-463395 call 429ff4 2316->2330 2383 463325-463329 2317->2383 2384 4632f8-4632ff 2317->2384 2322->2292 2323->2322 2324->2316 2334 463349-46334d 2324->2334 2337 463506-46350a 2326->2337 2338 463489-463490 2326->2338 2336 4633e1-4633f3 call 40b3d4 2327->2336 2329->2296 2330->2296 2342 46334f-463372 call 40b3d4 call 406a1c 2334->2342 2361 463425-46345c call 474c8c call 44be84 2336->2361 2362 4633f5-463423 call 474c8c call 44bf54 2336->2362 2345 463573-46357c 2337->2345 2346 46350c-463523 call 40b3d4 2337->2346 2338->2337 2347 463492-463499 2338->2347 2393 463374-463377 2342->2393 2394 463379-46337d 2342->2394 2354 46357e-463596 call 40b3d4 call 4646bc 2345->2354 2355 46359b-4635b0 call 461c64 call 4619dc 2345->2355 2374 463525-463561 call 40b3d4 call 4646bc * 2 call 46455c 2346->2374 2375 463563-463571 call 4646bc 2346->2375 2347->2337 2357 46349b-4634a6 2347->2357 2354->2355 2399 463602-46360c call 4149dc 2355->2399 2400 4635b2-4635d5 call 429fd8 call 40b3d4 2355->2400 2357->2355 2365 4634ac-4634b0 2357->2365 2401 463461-463465 2361->2401 2362->2401 2376 4634b2-4634c8 call 40b3d4 2365->2376 2374->2355 2375->2355 2406 4634ca-4634f6 call 429ff4 call 4646bc call 46455c 2376->2406 2407 4634fb-4634ff 2376->2407 2383->2310 2383->2317 2384->2383 2395 463301-463313 call 406a1c 2384->2395 2393->2316 2394->2316 2394->2342 2395->2383 2421 463315-46331f 2395->2421 2416 463611-463630 call 4149dc 2399->2416 2435 4635d7-4635de 2400->2435 2436 4635e0-4635ef call 4149dc 2400->2436 2411 463467-46346e 2401->2411 2412 463470-463472 2401->2412 2406->2355 2407->2376 2413 463501 2407->2413 2411->2412 2420 463479-46347d 2411->2420 2412->2420 2413->2355 2431 463632-463655 call 429fd8 call 46481c 2416->2431 2432 46365a-46367d call 474c8c call 403450 2416->2432 2420->2326 2420->2336 2421->2383 2426 463321 2421->2426 2426->2383 2431->2432 2450 46367f-463686 2432->2450 2451 463698-4636a1 2432->2451 2435->2436 2440 4635f1-463600 call 4149dc 2435->2440 2436->2416 2440->2416 2450->2451 2454 463688-463696 call 403494 2450->2454 2452 4636b7-4636c7 call 403494 2451->2452 2453 4636a3-4636b5 call 403684 2451->2453 2461 4636d9-4636f0 call 414ab0 2452->2461 2453->2452 2462 4636c9-4636d4 call 403494 2453->2462 2454->2461 2466 463726-463730 call 4149dc 2461->2466 2467 4636f2-4636f9 2461->2467 2462->2461 2471 463735-46375a call 403400 * 3 2466->2471 2469 463706-463710 call 42b07c 2467->2469 2470 4636fb-463704 2467->2470 2472 463715-463724 call 4149dc 2469->2472 2470->2469 2470->2472 2472->2471
                                                                                  APIs
                                                                                    • Part of subcall function 0048C854: GetWindowRect.USER32(00000000), ref: 0048C86A
                                                                                  • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00462477
                                                                                    • Part of subcall function 0041D648: GetObjectA.GDI32(?,00000018,00462491), ref: 0041D673
                                                                                    • Part of subcall function 00461F04: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00461FA1
                                                                                    • Part of subcall function 00461F04: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461FC7
                                                                                    • Part of subcall function 00461F04: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00462023
                                                                                    • Part of subcall function 00461F04: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462049
                                                                                    • Part of subcall function 004618C0: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046252C,00000000,00000000,00000000,0000000C,00000000), ref: 004618D8
                                                                                    • Part of subcall function 0048CA64: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048CA6E
                                                                                    • Part of subcall function 0048C7A4: 7427A570.USER32(00000000,?,?,?), ref: 0048C7C6
                                                                                    • Part of subcall function 0048C7A4: SelectObject.GDI32(?,00000000), ref: 0048C7EC
                                                                                    • Part of subcall function 0048C7A4: 7427A480.USER32(00000000,?,0048C84A,0048C843,?,00000000,?,?,?), ref: 0048C83D
                                                                                    • Part of subcall function 0048CA54: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048CA5E
                                                                                  • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021777CC,02179420,?,?,02179450,?,?,021794A0,?), ref: 004630EF
                                                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00463100
                                                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00463118
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$7427AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadRectSelectSystemUserWindow
                                                                                  • String ID: $(Default)$STOPIMAGE
                                                                                  • API String ID: 1307956546-770201673
                                                                                  • Opcode ID: dd3d8fd672a16393e323b753cc00e63073ac8476760509fc2b9c63bba26e635c
                                                                                  • Instruction ID: e2e6c99e134b60afcdfb023e5044024a3b924a9daadbdbff726cba202d2a439c
                                                                                  • Opcode Fuzzy Hash: dd3d8fd672a16393e323b753cc00e63073ac8476760509fc2b9c63bba26e635c
                                                                                  • Instruction Fuzzy Hash: F7F204786005609FCB00EF69D8D9F9973F1BF49304F1581B6E5089B36ADB74AC46CB8A
                                                                                  Function 0047819C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?,?,00000000), ref: 004781FC
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?), ref: 00478245
                                                                                  • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF), ref: 00478252
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000,?,?,004794BF,?), ref: 0047829E
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047836B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000), ref: 00478347
                                                                                  • FindClose.KERNEL32(000000FF,00478372,0047836B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478398,?,00000000,00000000), ref: 00478365
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 3541575487-0
                                                                                  • Opcode ID: a1d840a3a95355ccfcd61814205dc4e240f9d7f89ce3454cd945cb85c4fc703f
                                                                                  • Instruction ID: 4b456bd8f44edda0f97990befda08fb9861f77685885b074d6f5825a5f55381f
                                                                                  • Opcode Fuzzy Hash: a1d840a3a95355ccfcd61814205dc4e240f9d7f89ce3454cd945cb85c4fc703f
                                                                                  • Instruction Fuzzy Hash: D9518371900608AFCB10DF65CC89ADEB7BCEB88315F1084BAA818E7351DA389F45CF58
                                                                                  Function 0046E788 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E7E1
                                                                                  • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E8A6
                                                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046E8DA,?,?,00000001,00492070), ref: 0046E8B4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                  • String ID: unins$unins???.*
                                                                                  • API String ID: 3541575487-1009660736
                                                                                  • Opcode ID: 5954555e5c55a6f0c1627fdc79d7bc5d022b8e66c068dfac9c44a8b6961bbd7d
                                                                                  • Instruction ID: da53ebf0d1cd316440c2c9d692973d590bf560a688ad98a6ce3dd60fa39449aa
                                                                                  • Opcode Fuzzy Hash: 5954555e5c55a6f0c1627fdc79d7bc5d022b8e66c068dfac9c44a8b6961bbd7d
                                                                                  • Instruction Fuzzy Hash: C7316774A00108AFDB10EB66C985ADDBBFCEF05314F5044B6E408E72A2EB389F458F59
                                                                                  Function 00447B9C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00447D79), ref: 00447CBC
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00447D3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID:
                                                                                  • API String ID: 2574300362-0
                                                                                  • Opcode ID: 8ac92d76eb4c457e5a836ea8d51ed146a922b316cb3139a6b1e03fbfd02b8e5e
                                                                                  • Instruction ID: 6c9917709a3bb01d3cef5f5576a292de38f6b5bc033f1de1a8ebe1fb7d1d4e76
                                                                                  • Opcode Fuzzy Hash: 8ac92d76eb4c457e5a836ea8d51ed146a922b316cb3139a6b1e03fbfd02b8e5e
                                                                                  • Instruction Fuzzy Hash: 215162B4E14105AFDB00EFA5C481AAEB7F8EF44315F10817AE414BB396DB789E05CB99
                                                                                  Function 0045105C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,004510BF,?,?,-00000001,00000000), ref: 00451099
                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,004510BF,?,?,-00000001,00000000), ref: 004510A1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileFindFirstLast
                                                                                  • String ID:
                                                                                  • API String ID: 873889042-0
                                                                                  • Opcode ID: 96ff706b865a0c3e89c7056d59f0f3c4ab756fbe47ee1fbad52e8f7b66ca27f2
                                                                                  • Instruction ID: dcd16dfe0d0acbeeb8a94117288214fa7a4cb679286425af3742c04ea9233ea0
                                                                                  • Opcode Fuzzy Hash: 96ff706b865a0c3e89c7056d59f0f3c4ab756fbe47ee1fbad52e8f7b66ca27f2
                                                                                  • Instruction Fuzzy Hash: 8BF04931A04248AB8B10EBA69C0149EF7FCDB45725710467BFC14D36D2DA384E088459
                                                                                  Function 004084F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: 454902a201ecd8c2e3acffde7e58753429cd464d257c0cf4bbdc702fc318ca5b
                                                                                  • Instruction ID: aa8d71f0cf4996895b5714cb82768bd341bd21fdaf985382d0229dd3d02663df
                                                                                  • Opcode Fuzzy Hash: 454902a201ecd8c2e3acffde7e58753429cd464d257c0cf4bbdc702fc318ca5b
                                                                                  • Instruction Fuzzy Hash: 21E0223270021462C312A92A9C869FAB34C9718354F80427FB948EB3C2EDB89E4142A8
                                                                                  Function 00423B1C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240E9,?,00000000,004240F4), ref: 00423B46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: NtdllProc_Window
                                                                                  • String ID:
                                                                                  • API String ID: 4255912815-0
                                                                                  • Opcode ID: 77c70bcfc7927947356adb6f285545ec865374c17fa01f2fb7cfae3df505fd29
                                                                                  • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                  • Opcode Fuzzy Hash: 77c70bcfc7927947356adb6f285545ec865374c17fa01f2fb7cfae3df505fd29
                                                                                  • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                  Function 00453930 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: 008a9077d124f579bb04a1004ac0de0847756ec584201c2ea88912a5e1bb432e
                                                                                  • Instruction ID: f3c69ebd9ed117dfcaeb8cc8e69b6e769c8652df099553d2070ab915e5811657
                                                                                  • Opcode Fuzzy Hash: 008a9077d124f579bb04a1004ac0de0847756ec584201c2ea88912a5e1bb432e
                                                                                  • Instruction Fuzzy Hash: 6CD0C2F120820053C701AE6C9C826DA358C8B84316F10483E7CC5EA3C3E6BCDB48965A
                                                                                  Function 0042ECCC Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ECE8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: NtdllProc_Window
                                                                                  • String ID:
                                                                                  • API String ID: 4255912815-0
                                                                                  • Opcode ID: 9024b4e4831e1ae9fb058c403311c5830c57d00addc6cc7f2e9f7de8ab8c4f6c
                                                                                  • Instruction ID: cb239410a598a835b8bea7527afbeda5977673bb60cf362c78a8a88c20d7e3ba
                                                                                  • Opcode Fuzzy Hash: 9024b4e4831e1ae9fb058c403311c5830c57d00addc6cc7f2e9f7de8ab8c4f6c
                                                                                  • Instruction Fuzzy Hash: 2BD0A77120010CAFCB00DEDAD840C6F33ADAB88700B60C915F518C7201C234EC51D7B8
                                                                                  Function 00468CA0 Relevance: 65.1, APIs: 1, Strings: 36, Instructions: 391registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 390 468ca0-468cd0 391 468cd2-468cd9 390->391 392 468cdb 390->392 393 468ce2-468d1a call 403634 call 403738 call 42dcd8 391->393 392->393 400 468d35-468d5e call 403738 call 42dbfc 393->400 401 468d1c-468d30 call 403738 call 42dcd8 393->401 409 468d60-468d69 call 468a7c 400->409 410 468d6e-468d97 call 468b98 400->410 401->400 409->410 414 468da9-468dac call 403400 410->414 415 468d99-468da7 call 403494 410->415 419 468db1-468dfc call 468b98 call 42c394 call 468be0 call 468b98 414->419 415->419 428 468e12-468e33 call 453930 call 468b98 419->428 429 468dfe-468e11 call 468c08 419->429 436 468e35-468e88 call 468b98 call 4725b8 call 468b98 call 4725b8 call 468b98 428->436 437 468e89-468e90 428->437 429->428 436->437 438 468e92-468ecf call 4725b8 call 468b98 call 4725b8 call 468b98 437->438 439 468ed0-468ed7 437->439 438->439 443 468f18-468f1c 439->443 444 468ed9-468f17 call 468b98 * 3 439->444 446 468f1e-468f29 call 474c8c 443->446 447 468f2b-468f34 call 403494 443->447 444->443 458 468f39-469106 call 403778 call 468b98 call 474c8c call 468be0 call 403494 call 40357c * 2 call 468b98 call 403494 call 40357c * 2 call 468b98 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c call 468be0 call 474c8c 446->458 447->458 534 46911c-46912a call 468c08 458->534 535 469108-46911a call 468b98 458->535 539 46912f 534->539 540 469130-469158 call 468c08 call 468c3c call 468b98 535->540 539->540 546 46915d-469165 540->546 547 469167-46919d call 48bd54 546->547 548 4691bf-4691d5 RegCloseKey 546->548 547->548
                                                                                  APIs
                                                                                    • Part of subcall function 00468B98: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00492070,?,00468D8F,?,00000000,004691D6,?,_is1), ref: 00468BBB
                                                                                  • RegCloseKey.ADVAPI32(?,004691DD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00469225,?,?,00000001,00492070), ref: 004691D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseValue
                                                                                  • String ID: " /SILENT$5.2.2$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                  • API String ID: 3132538880-2888065510
                                                                                  • Opcode ID: 8e400fefc372f4228430415f0abf4997977dbf4c0148ece2af7f1ed10c744407
                                                                                  • Instruction ID: 2b184e7f52b8dd81450d0be586453aca755d6178f524d2079868e467ff7f2638
                                                                                  • Opcode Fuzzy Hash: 8e400fefc372f4228430415f0abf4997977dbf4c0148ece2af7f1ed10c744407
                                                                                  • Instruction Fuzzy Hash: 11E15474A00109AFDB04DB95D995DAE73BDEB44304F60857BE4006B395EFB8BE01CB6A
                                                                                  Function 004898F0 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 915 4898f0-489924 call 403684 918 48993a-489947 call 403684 915->918 919 489926-489935 call 44660c Sleep 915->919 925 489949-48996c call 446668 call 403738 FindWindowA call 4468e8 918->925 926 489976-489983 call 403684 918->926 924 489dca-489de4 call 403420 919->924 944 489971 925->944 934 4899b2-4899bf call 403684 926->934 935 489985-4899ad call 446668 call 403738 FindWindowA call 4468e8 926->935 942 489a08-489a15 call 403684 934->942 943 4899c1-489a03 call 44660c * 4 SendMessageA call 4468e8 934->943 935->924 952 489a64-489a71 call 403684 942->952 953 489a17-489a5f call 44660c * 4 PostMessageA call 446740 942->953 943->924 944->924 964 489ac0-489acd call 403684 952->964 965 489a73-489abb call 44660c * 4 SendNotifyMessageA call 446740 952->965 953->924 977 489afa-489b07 call 403684 964->977 978 489acf-489af5 call 446668 call 403738 RegisterClipboardFormatA call 4468e8 964->978 965->924 990 489b48-489b55 call 403684 977->990 991 489b09-489b43 call 44660c * 3 SendMessageA call 4468e8 977->991 978->924 1003 489b9c-489ba9 call 403684 990->1003 1004 489b57-489b97 call 44660c * 3 PostMessageA call 446740 990->1004 991->924 1016 489bab-489beb call 44660c * 3 SendNotifyMessageA call 446740 1003->1016 1017 489bf0-489bfd call 403684 1003->1017 1004->924 1016->924 1028 489bff-489c1d call 446668 call 42e1d0 1017->1028 1029 489c52-489c5f call 403684 1017->1029 1046 489c2f-489c3d GetLastError call 4468e8 1028->1046 1047 489c1f-489c2d call 4468e8 1028->1047 1039 489cd9-489ce6 call 403684 1029->1039 1040 489c61-489c8d call 446668 call 403738 call 44660c GetProcAddress 1029->1040 1052 489ce8-489d09 call 44660c FreeLibrary call 446740 1039->1052 1053 489d0e-489d1b call 403684 1039->1053 1071 489cc9-489cd4 call 446740 1040->1071 1072 489c8f-489cc4 call 44660c * 2 call 4468e8 call 446740 1040->1072 1058 489c42-489c4d call 4468e8 1046->1058 1047->1058 1052->924 1068 489d1d-489d3b call 446668 call 403738 CreateMutexA 1053->1068 1069 489d40-489d4d call 403684 1053->1069 1058->924 1068->924 1079 489d4f-489d81 call 446668 call 403574 call 403738 OemToCharBuffA call 4469bc 1069->1079 1080 489d83-489d90 call 403684 1069->1080 1071->924 1072->924 1079->924 1092 489d92-489dc4 call 446668 call 403574 call 403738 CharToOemBuffA call 4469bc 1080->1092 1093 489dc6 1080->1093 1092->924 1093->924
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000,00000000,00489DE5,?,?,?,?,00000000,00000000,00000000), ref: 00489930
                                                                                  • FindWindowA.USER32(00000000,00000000), ref: 00489961
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindSleepWindow
                                                                                  • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                  • API String ID: 3078808852-3310373309
                                                                                  • Opcode ID: 11aadbbc4c170190f4a34afd2cca014936b750219a751b0faab1f1189547b9c9
                                                                                  • Instruction ID: c39bd2ead2226f229d9df2653bd58b97473c78e3bea4bfa0a2e8f2c6fd329258
                                                                                  • Opcode Fuzzy Hash: 11aadbbc4c170190f4a34afd2cca014936b750219a751b0faab1f1189547b9c9
                                                                                  • Instruction Fuzzy Hash: A4C150A0B046406BD714FB7E8C4252E56999B89708B16CD3FB406EB78BCE3DDD06835E
                                                                                  Function 0047B97C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1420 47b97c-47b9a1 GetModuleHandleA GetProcAddress 1421 47b9a3-47b9b9 GetNativeSystemInfo GetProcAddress 1420->1421 1422 47ba08-47ba0d GetSystemInfo 1420->1422 1423 47ba12-47ba1b 1421->1423 1424 47b9bb-47b9c6 GetCurrentProcess 1421->1424 1422->1423 1425 47ba1d-47ba21 1423->1425 1426 47ba2b-47ba32 1423->1426 1424->1423 1433 47b9c8-47b9cc 1424->1433 1427 47ba34-47ba3b 1425->1427 1428 47ba23-47ba27 1425->1428 1429 47ba4d-47ba52 1426->1429 1427->1429 1431 47ba3d-47ba44 1428->1431 1432 47ba29-47ba46 1428->1432 1431->1429 1432->1429 1433->1423 1435 47b9ce-47b9d5 call 450d18 1433->1435 1435->1423 1438 47b9d7-47b9e4 GetProcAddress 1435->1438 1438->1423 1439 47b9e6-47b9fd GetModuleHandleA GetProcAddress 1438->1439 1439->1423 1440 47b9ff-47ba06 1439->1440 1440->1423
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047B98D
                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047B99A
                                                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047B9A8
                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047B9B0
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047B9BC
                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047B9DD
                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047B9F0
                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047B9F6
                                                                                  • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047BA0D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                  • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                  • API String ID: 2230631259-2623177817
                                                                                  • Opcode ID: 81eacbfa1117fc802ce85a6eb806590c881bfcf0bf282382394a4f17a0ea04d1
                                                                                  • Instruction ID: c73b0a6dce2ec8c546d6017445dcf813fc625a9fb72c38026e9dd29615451d51
                                                                                  • Opcode Fuzzy Hash: 81eacbfa1117fc802ce85a6eb806590c881bfcf0bf282382394a4f17a0ea04d1
                                                                                  • Instruction Fuzzy Hash: 1811BE42108340D8CB60B3B55D89BFB2658CB10718F18C43B688C76283EB7CCD849AEE
                                                                                  Function 00463A24 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1441 463a24-463a5c call 474c8c 1444 463a62-463a72 call 471c34 1441->1444 1445 463c3e-463c58 call 403420 1441->1445 1450 463a77-463abc call 407884 call 403738 call 42dc34 1444->1450 1456 463ac1-463ac3 1450->1456 1457 463c34-463c38 1456->1457 1458 463ac9-463ade 1456->1458 1457->1445 1457->1450 1459 463af3-463afa 1458->1459 1460 463ae0-463aee call 42db64 1458->1460 1462 463b27-463b2e 1459->1462 1463 463afc-463b1e call 42db64 call 42db7c 1459->1463 1460->1459 1465 463b87-463b8e 1462->1465 1466 463b30-463b55 call 42db64 * 2 1462->1466 1463->1462 1481 463b20 1463->1481 1468 463bd4-463bdb 1465->1468 1469 463b90-463ba2 call 42db64 1465->1469 1488 463b57-463b60 call 4726ac 1466->1488 1489 463b65-463b77 call 42db64 1466->1489 1474 463c16-463c2c RegCloseKey 1468->1474 1475 463bdd-463c11 call 42db64 * 3 1468->1475 1482 463ba4-463bad call 4726ac 1469->1482 1483 463bb2-463bc4 call 42db64 1469->1483 1475->1474 1481->1462 1482->1483 1483->1468 1495 463bc6-463bcf call 4726ac 1483->1495 1488->1489 1489->1465 1497 463b79-463b82 call 4726ac 1489->1497 1495->1468 1497->1465
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,00463C3E,?,?,00000001,00000000,00000000,00463C59,?,00000000,00000000,?), ref: 00463C27
                                                                                  Strings
                                                                                  • Inno Setup: Icon Group, xrefs: 00463B02
                                                                                  • Inno Setup: Deselected Components, xrefs: 00463B68
                                                                                  • Inno Setup: Selected Tasks, xrefs: 00463B93
                                                                                  • %s\%s_is1, xrefs: 00463AA1
                                                                                  • Inno Setup: Setup Type, xrefs: 00463B36
                                                                                  • Inno Setup: User Info: Serial, xrefs: 00463C09
                                                                                  • Inno Setup: Selected Components, xrefs: 00463B46
                                                                                  • Inno Setup: No Icons, xrefs: 00463B0F
                                                                                  • Inno Setup: App Path, xrefs: 00463AE6
                                                                                  • Inno Setup: User Info: Organization, xrefs: 00463BF6
                                                                                  • Inno Setup: User Info: Name, xrefs: 00463BE3
                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00463A83
                                                                                  • Inno Setup: Deselected Tasks, xrefs: 00463BB5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                  • API String ID: 47109696-1093091907
                                                                                  • Opcode ID: 8d6299267fc6cafed9e48b8ef22c3bd00aa88e6b0c1ec62e8969358afa6a497b
                                                                                  • Instruction ID: dbabc4e6d65f788916ea02928a74f772d248f11b4c629be6c36095f62d234fb1
                                                                                  • Opcode Fuzzy Hash: 8d6299267fc6cafed9e48b8ef22c3bd00aa88e6b0c1ec62e8969358afa6a497b
                                                                                  • Instruction Fuzzy Hash: 9251A134A00788ABCB11DF65D952BDEBBB4EF44304F5080AAE844A7396E7786F05CB4D
                                                                                  Function 0047572C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1659 47572c-475782 call 42c394 call 4035c0 call 4753a8 call 450bd4 1668 475784-475789 call 451940 1659->1668 1669 47578e-47579d call 450bd4 1659->1669 1668->1669 1673 4757b7-4757bd 1669->1673 1674 47579f-4757a5 1669->1674 1677 4757d4-4757fc call 42e1d0 * 2 1673->1677 1678 4757bf-4757c5 1673->1678 1675 4757c7-4757cf call 403494 1674->1675 1676 4757a7-4757ad 1674->1676 1675->1677 1676->1673 1680 4757af-4757b5 1676->1680 1685 475823-47583d GetProcAddress 1677->1685 1686 4757fe-47581e call 407884 call 451940 1677->1686 1678->1675 1678->1677 1680->1673 1680->1675 1688 47583f-475844 call 451940 1685->1688 1689 475849-475866 call 403400 * 2 1685->1689 1686->1685 1688->1689
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(701A0000,SHGetFolderPathA), ref: 0047582E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID: 2H$Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                  • API String ID: 190572456-2806916834
                                                                                  • Opcode ID: 6343bc9988d6265b4ba6d281d40f77122325604365d66226f20c22221f21ac89
                                                                                  • Instruction ID: 5a4b97917b168a48da4d645f6c4bb0672a7e70e8e7de77cb767a7cd1621b6e88
                                                                                  • Opcode Fuzzy Hash: 6343bc9988d6265b4ba6d281d40f77122325604365d66226f20c22221f21ac89
                                                                                  • Instruction Fuzzy Hash: FD311F70A00609DFCB10EBA5D982ADEB7B5EB04314F618477E804EF251D7B8AE04CB9D
                                                                                  Function 0042380C Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1808 42380c-423816 1809 42393f-423943 1808->1809 1810 42381c-42383e call 41f35c GetClassInfoA 1808->1810 1813 423840-423857 RegisterClassA 1810->1813 1814 42386f-423878 GetSystemMetrics 1810->1814 1813->1814 1817 423859-42386a call 408c4c call 40311c 1813->1817 1815 42387a 1814->1815 1816 42387d-423887 GetSystemMetrics 1814->1816 1815->1816 1819 423889 1816->1819 1820 42388c-4238e8 call 403738 call 4062f0 call 403400 call 4235e4 SetWindowLongA 1816->1820 1817->1814 1819->1820 1831 423902-423930 GetSystemMenu DeleteMenu * 2 1820->1831 1832 4238ea-4238fd call 424110 SendMessageA 1820->1832 1831->1809 1834 423932-42393a DeleteMenu 1831->1834 1832->1831 1834->1809
                                                                                  APIs
                                                                                    • Part of subcall function 0041F35C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED3C,?,00423827,00423BA4,0041ED3C), ref: 0041F37A
                                                                                  • GetClassInfoA.USER32(00400000,00423614), ref: 00423837
                                                                                  • RegisterClassA.USER32(00490630), ref: 0042384F
                                                                                  • GetSystemMetrics.USER32(00000000), ref: 00423871
                                                                                  • GetSystemMetrics.USER32(00000001), ref: 00423880
                                                                                  • SetWindowLongA.USER32(004105E8,000000FC,00423624), ref: 004238DC
                                                                                  • SendMessageA.USER32(004105E8,00000080,00000001,00000000), ref: 004238FD
                                                                                  • GetSystemMenu.USER32(004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4,0041ED3C), ref: 00423908
                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4,0041ED3C), ref: 00423917
                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423924
                                                                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105E8,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042393A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                  • String ID:
                                                                                  • API String ID: 183575631-0
                                                                                  • Opcode ID: 366bcff5bffb3164fdbe23fc2e60ac014bdc14989a75390d73933288121bc891
                                                                                  • Instruction ID: 7dff32b1696b5347cc3ef800d63acf607d09fd6a935ce00206748f93829a4864
                                                                                  • Opcode Fuzzy Hash: 366bcff5bffb3164fdbe23fc2e60ac014bdc14989a75390d73933288121bc891
                                                                                  • Instruction Fuzzy Hash: 003171B17402506AEB10BF659C82F663698AB14708F60017BFA44EF2E7C6BDED40876D
                                                                                  Function 0042ED0C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1836 42ed0c-42ed16 1837 42ed20-42ed5d call 402b30 GetActiveWindow GetFocus call 41ee3c 1836->1837 1838 42ed18-42ed1b call 402d30 1836->1838 1844 42ed6f-42ed77 1837->1844 1845 42ed5f-42ed69 RegisterClassA 1837->1845 1838->1837 1846 42edfe-42ee1a SetFocus call 403400 1844->1846 1847 42ed7d-42edae CreateWindowExA 1844->1847 1845->1844 1847->1846 1848 42edb0-42edf4 call 424214 call 403738 CreateWindowExA 1847->1848 1848->1846 1855 42edf6-42edf9 ShowWindow 1848->1855 1855->1846
                                                                                  APIs
                                                                                  • GetActiveWindow.USER32 ref: 0042ED3B
                                                                                  • GetFocus.USER32 ref: 0042ED43
                                                                                  • RegisterClassA.USER32(004907AC), ref: 0042ED64
                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EE38,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EDA2
                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EDE8
                                                                                  • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EDF9
                                                                                  • SetFocus.USER32(00000000,00000000,0042EE1B,?,?,?,00000001,00000000,?,0045632E,00000000,00491628), ref: 0042EE00
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                  • String ID: TWindowDisabler-Window
                                                                                  • API String ID: 3167913817-1824977358
                                                                                  • Opcode ID: 3d4f519cdb620a71b4f0e13988cdd06d59f2b7e8071267d81529963f17bb93ef
                                                                                  • Instruction ID: a8040b228ffa9ea72695ab5da3b332a361a093092e16a63929ba4bab04f271a4
                                                                                  • Opcode Fuzzy Hash: 3d4f519cdb620a71b4f0e13988cdd06d59f2b7e8071267d81529963f17bb93ef
                                                                                  • Instruction Fuzzy Hash: 5B21E570740711BBE310EB62DC02F1776A8EB00B04F614437F504AB2D2D7BCAC4086AC
                                                                                  Function 004517EC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1856 4517ec-45183d GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1857 45183f-451846 1856->1857 1858 451848-45184a 1856->1858 1857->1858 1859 45184c 1857->1859 1860 45184e-451884 call 42e1d0 call 42e650 call 403400 1858->1860 1859->1860
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 0045180C
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451812
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 00451826
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045182C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                  • API String ID: 1646373207-2130885113
                                                                                  • Opcode ID: fd822e8785bcc495b0541c45cdb3aa014e2fe203dd414402aff0c87aba0b0540
                                                                                  • Instruction ID: b872f96e2855e1e26fba384a70127fce6a1bfa28dc68f2582c11e45a4918eba5
                                                                                  • Opcode Fuzzy Hash: fd822e8785bcc495b0541c45cdb3aa014e2fe203dd414402aff0c87aba0b0540
                                                                                  • Instruction Fuzzy Hash: 9C018474200341AEDB21FBA29C06B963A58D711799F50483BFC00966B3D7FC4C088A2D
                                                                                  Function 00475400 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00475573,?,?,00000000,00491628,00000000,00000000,?,0048F526,00000000,0048F6CF,?,00000000), ref: 00475493
                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00475573,?,?,00000000,00491628,00000000,00000000,?,0048F526,00000000,0048F6CF,?,00000000), ref: 0047549C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                  • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                                  • API String ID: 1375471231-1421604804
                                                                                  • Opcode ID: 7242027f50a6839e64bb15ed11bf6ce5b440476fb49e9234b4e706b21fbee4ab
                                                                                  • Instruction ID: d88b9792eba20e06b3b9cfa71813e17b1e270a25d1f95deed3261327946b49cc
                                                                                  • Opcode Fuzzy Hash: 7242027f50a6839e64bb15ed11bf6ce5b440476fb49e9234b4e706b21fbee4ab
                                                                                  • Instruction Fuzzy Hash: 0B415634A00609ABCB01EF95C881ADEB7B5EF48305F50843BE9157B396DB78AE05CF58
                                                                                  Function 004300EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004300F4
                                                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430103
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0043011D
                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 0043013E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                  • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                  • API String ID: 4130936913-2943970505
                                                                                  • Opcode ID: 9528230066ae32ba9963f774afa01b65538c4e95d61a1536fc76262b92547268
                                                                                  • Instruction ID: a1a34dee2eef4cb6902cc6c5db4b5b1e6b8a528ce901b829395f91b2b6c2fdf2
                                                                                  • Opcode Fuzzy Hash: 9528230066ae32ba9963f774afa01b65538c4e95d61a1536fc76262b92547268
                                                                                  • Instruction Fuzzy Hash: E6F082708483808ADB00EB75880271A7BE0AB58708F04467FF898A63E1D7399900DF5F
                                                                                  Function 004533F8 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453614,00453614,?,00453614,00000000), ref: 004535A0
                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453614,00453614,?,00453614), ref: 004535AD
                                                                                    • Part of subcall function 00453364: WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                                    • Part of subcall function 00453364: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                                    • Part of subcall function 00453364: GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                                    • Part of subcall function 00453364: CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                  • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                  • API String ID: 854858120-615399546
                                                                                  • Opcode ID: 08d223736257814d70cc7505230b24bb262e9e7c1e193099fc0a6506b054be0b
                                                                                  • Instruction ID: 03a2ba6a9c4a75c0bfd5b6233ad26ca07513ce10ebe49def0aa635c75447425c
                                                                                  • Opcode Fuzzy Hash: 08d223736257814d70cc7505230b24bb262e9e7c1e193099fc0a6506b054be0b
                                                                                  • Instruction Fuzzy Hash: 5951457460034DABCB11EFA5C882B9DBBB9AF45746F50443BB804A7392D7789B098B58
                                                                                  Function 00423624 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadIconA.USER32(00400000,MAINICON), ref: 004236B4
                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 004236E1
                                                                                  • OemToCharA.USER32(?,?), ref: 004236F4
                                                                                  • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 00423734
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Char$FileIconLoadLowerModuleName
                                                                                  • String ID: 2$MAINICON
                                                                                  • API String ID: 3935243913-3181700818
                                                                                  • Opcode ID: 52b29c86000e8ce499910051b00ca9786832e5995c45291c2465fa7e376696e2
                                                                                  • Instruction ID: a9bc4bb92a206677b73de4cdc18b7b415be5be97d03745e7619b52054e60faee
                                                                                  • Opcode Fuzzy Hash: 52b29c86000e8ce499910051b00ca9786832e5995c45291c2465fa7e376696e2
                                                                                  • Instruction Fuzzy Hash: EE31A2B0A042559ADB10EF79C8C57C67BE8AF14308F4441BAE844DB393D7BED988CB59
                                                                                  Function 00418ED0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcessId.KERNEL32(00000000), ref: 00418ED5
                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418EF6
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00418F11
                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F32
                                                                                    • Part of subcall function 00423060: 7427A570.USER32(00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230B6
                                                                                    • Part of subcall function 00423060: EnumFontsA.GDI32(00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230C9
                                                                                    • Part of subcall function 00423060: 74284620.GDI32(00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230D1
                                                                                    • Part of subcall function 00423060: 7427A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230DC
                                                                                    • Part of subcall function 00423624: LoadIconA.USER32(00400000,MAINICON), ref: 004236B4
                                                                                    • Part of subcall function 00423624: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 004236E1
                                                                                    • Part of subcall function 00423624: OemToCharA.USER32(?,?), ref: 004236F4
                                                                                    • Part of subcall function 00423624: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F7E,00000000,?,?,?,00000001), ref: 00423734
                                                                                    • Part of subcall function 0041F0B0: GetVersion.KERNEL32(?,00418F88,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                                    • Part of subcall function 0041F0B0: SetErrorMode.KERNEL32(00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0DA
                                                                                    • Part of subcall function 0041F0B0: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0E6
                                                                                    • Part of subcall function 0041F0B0: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0F4
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F124
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F14D
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F162
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F177
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F18C
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1A1
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1B6
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1CB
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1E0
                                                                                    • Part of subcall function 0041F0B0: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1F5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$7427AtomCharCurrentErrorGlobalLoadMode$74284620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                  • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                  • API String ID: 455100837-2767913252
                                                                                  • Opcode ID: 4c26dbfd22db78521be0a09630effd929be79fefc8ff9fe1c91013bb97fcb4f6
                                                                                  • Instruction ID: 31da0b60f3cb059b68cd2024c7d929c347bad9d9a2b787a7abb6bbdbc55677b1
                                                                                  • Opcode Fuzzy Hash: 4c26dbfd22db78521be0a09630effd929be79fefc8ff9fe1c91013bb97fcb4f6
                                                                                  • Instruction Fuzzy Hash: 901100B4A182419AC740FF7A984274A77E1ABA4309F44853FF448EB3E1DB3D99458B1E
                                                                                  Function 004135D4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 004135FC
                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00413607
                                                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413619
                                                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 0041362C
                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 00413643
                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 0041365A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongWindow$Prop
                                                                                  • String ID:
                                                                                  • API String ID: 3887896539-0
                                                                                  • Opcode ID: 4339cc9e18f10e45379eff93a9f1c90239a28d3597131de0ecc2ed647b007356
                                                                                  • Instruction ID: 0f0adcb05922a230dec6ee4b02f9febc34160f2d73bea823af684f70641d33a7
                                                                                  • Opcode Fuzzy Hash: 4339cc9e18f10e45379eff93a9f1c90239a28d3597131de0ecc2ed647b007356
                                                                                  • Instruction Fuzzy Hash: 5A11CC76100244BFDF40DF99DC88E9A3BF8AB19364F114266F918DB2E1D739DD908B58
                                                                                  Function 00453A6C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453C03,?,00000000,00453C43), ref: 00453B49
                                                                                  Strings
                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453ACC
                                                                                  • PendingFileRenameOperations2, xrefs: 00453B18
                                                                                  • WININIT.INI, xrefs: 00453B78
                                                                                  • PendingFileRenameOperations, xrefs: 00453AE8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                  • API String ID: 47109696-2199428270
                                                                                  • Opcode ID: 2c258d37aee220e3f69fdfe60538bfbf1130a528104dc47db43563c74dd72cc1
                                                                                  • Instruction ID: e17426e9fbb7a66f5e6261b5980cfadcb0f519ca5f0626cdc819d35c9a67e570
                                                                                  • Opcode Fuzzy Hash: 2c258d37aee220e3f69fdfe60538bfbf1130a528104dc47db43563c74dd72cc1
                                                                                  • Instruction Fuzzy Hash: 8551A571E002489BDB11EF61DC51ADEB7B9EF44345F5081BBE804B7282EB78AB45CA18
                                                                                  Function 00461F04 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00461FA1
                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461FC7
                                                                                    • Part of subcall function 00461E44: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00461EDC
                                                                                    • Part of subcall function 00461E44: DestroyCursor.USER32(00000000), ref: 00461EF2
                                                                                  • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00462023
                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462049
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                                                                  • String ID: c:\directory
                                                                                  • API String ID: 2926980410-3984940477
                                                                                  • Opcode ID: 5194c65c3269dafb1668497fbf87d1d210523d8897b60a23e8c3a4391423d21e
                                                                                  • Instruction ID: 7ea75e076aff8093e5049247e13a602e38cf95ebb48025f5e3f3f0ae895ce402
                                                                                  • Opcode Fuzzy Hash: 5194c65c3269dafb1668497fbf87d1d210523d8897b60a23e8c3a4391423d21e
                                                                                  • Instruction Fuzzy Hash: 0E417034600648AFDB21DB65CD89FDBBBE9EB48704F1040A6F904D7391D679EE80CB59
                                                                                  Function 0042DC5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 0042DC68
                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DDEB,00000000,0042DE03,?,?,?,?,00000005,?,00000000,0048E932), ref: 0042DC83
                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DC89
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressDeleteHandleModuleProc
                                                                                  • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                  • API String ID: 588496660-1846899949
                                                                                  • Opcode ID: b0fbce93ce575fdc2c8693853eb6255ef9b1a7508dcdbe8f5181661bc77f2907
                                                                                  • Instruction ID: eddbb1ccdc479b08d3a5db846f04dddb9c9689732034fbf648c66dc0f13b918d
                                                                                  • Opcode Fuzzy Hash: b0fbce93ce575fdc2c8693853eb6255ef9b1a7508dcdbe8f5181661bc77f2907
                                                                                  • Instruction Fuzzy Hash: EAE06DF0F41230ABD620276BBC4AFA3262C9F65325F584437F106A62A186FC4C80DF5C
                                                                                  Function 0047B128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetActiveWindow.USER32(?,?,00000000,0047B43D,?,?,00000001,?), ref: 0047B239
                                                                                  • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047B2AE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ActiveChangeNotifyWindow
                                                                                  • String ID: $Need to restart Windows? %s
                                                                                  • API String ID: 1160245247-4200181552
                                                                                  • Opcode ID: 49b3778517713bdb2557e46826310c4bd597fc09cdaeb7894a3b6d26a91a25b2
                                                                                  • Instruction ID: 114ac4b44b5b00e731bcf7b635d291de4245cdb37201357886b7dcbb33a133ac
                                                                                  • Opcode Fuzzy Hash: 49b3778517713bdb2557e46826310c4bd597fc09cdaeb7894a3b6d26a91a25b2
                                                                                  • Instruction Fuzzy Hash: 4E91A3346042459FCB00EB69D885B9E77F4EF55304F1080BBE8049B362DB78AD45CB9E
                                                                                  Function 0046956C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                    • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                                  • GetLastError.KERNEL32(00000000,00469769,?,?,00000001,00492070), ref: 00469646
                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 004696C0
                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004696E5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeNotify$CharErrorFullLastNamePathPrev
                                                                                  • String ID: Creating directory: %s
                                                                                  • API String ID: 2168629741-483064649
                                                                                  • Opcode ID: 3d4be0d59a8186afbe19147c6485f89fb6dd7a99673a3f76b68947bb98e15cf6
                                                                                  • Instruction ID: 39fbb5110f2ce61d64d63b7eb4c6f8db95eeecb92d3a4444acd7006c5b3e2544
                                                                                  • Opcode Fuzzy Hash: 3d4be0d59a8186afbe19147c6485f89fb6dd7a99673a3f76b68947bb98e15cf6
                                                                                  • Instruction Fuzzy Hash: F4512274A04248EBDB01DFA5D582BDEB7F9AF48305F50816AE811B7382D7B85E04CB59
                                                                                  Function 004531BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045326A
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00453330), ref: 004532D4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressByteCharMultiProcWide
                                                                                  • String ID: SfcIsFileProtected$sfc.dll
                                                                                  • API String ID: 2508298434-591603554
                                                                                  • Opcode ID: a7581481b25a0738c2b9d603de68152674b802b49e63467cb469883107568cfe
                                                                                  • Instruction ID: da0c0b73e4484b0d956c0617eda922bc647b017f41fd73a43e663524e5650ff4
                                                                                  • Opcode Fuzzy Hash: a7581481b25a0738c2b9d603de68152674b802b49e63467cb469883107568cfe
                                                                                  • Instruction Fuzzy Hash: F4417470A003189BEB10DF65DC89B9D77A8EB0430AF5080B7AD08A7292D7785F48CF1C
                                                                                  Function 00450DE4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,?,L]E,00000000,4]E,?,?,?,00000000,00450E5E,?,?,?,00000001), ref: 00450E38
                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,L]E,00000000,4]E,?,?,?,00000000,00450E5E,?,?,?,00000001), ref: 00450E40
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateErrorLastProcess
                                                                                  • String ID: 4]E$L]E
                                                                                  • API String ID: 2919029540-3190835428
                                                                                  • Opcode ID: 8d7e75a497fa8892f9d2aaf0e610c0da6345f1f110309fad47ac0f1205f36ccc
                                                                                  • Instruction ID: 36614b17b6321cc5c4ec2c76ccd23ddb11372e56904a959455bbf5e2affa7189
                                                                                  • Opcode Fuzzy Hash: 8d7e75a497fa8892f9d2aaf0e610c0da6345f1f110309fad47ac0f1205f36ccc
                                                                                  • Instruction Fuzzy Hash: F3113976600208AF8B50DEA9EC41DEFB7ECEB4D710B614966BD08D3241D638EE158BA4
                                                                                  Function 00453DA4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,00453E0F,?,00000001,00000000), ref: 00453E02
                                                                                  Strings
                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453DB0
                                                                                  • PendingFileRenameOperations2, xrefs: 00453DE3
                                                                                  • PendingFileRenameOperations, xrefs: 00453DD4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                  • API String ID: 47109696-2115312317
                                                                                  • Opcode ID: 36db5bb17954ea767181804f2f85a17aed559ad6800464154c3dbb056f6ae4bf
                                                                                  • Instruction ID: 4b6a90d0bc14d3bc9c3fb9912a03eb94e7c702ceaa5b5df73397897c0cee9a07
                                                                                  • Opcode Fuzzy Hash: 36db5bb17954ea767181804f2f85a17aed559ad6800464154c3dbb056f6ae4bf
                                                                                  • Instruction Fuzzy Hash: B2F0C232344308BBDB06DA669C03A1AB7DCD744752FA0446AF80097A82DA79BF14962C
                                                                                  Function 0046BC18 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0046BDE9,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172), ref: 0046BDC5
                                                                                  • FindClose.KERNEL32(000000FF,0046BDF0,0046BDE9,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172,?), ref: 0046BDE3
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0046BF0B,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172), ref: 0046BEE7
                                                                                  • FindClose.KERNEL32(000000FF,0046BF12,0046BF0B,?,00000000,?,00000001,00000000,0046BFB7,?,00000000,?,00000000,?,0046C172,?), ref: 0046BF05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$CloseFileNext
                                                                                  • String ID:
                                                                                  • API String ID: 2066263336-0
                                                                                  • Opcode ID: bf85992c3290785de341d74331a1fc3e3988298a1f831191f2a0cc2316a5c01a
                                                                                  • Instruction ID: 2dae98842d91c59889c1c18b4767c348dd3ab6512f57785b0b5d287fbef141cf
                                                                                  • Opcode Fuzzy Hash: bf85992c3290785de341d74331a1fc3e3988298a1f831191f2a0cc2316a5c01a
                                                                                  • Instruction Fuzzy Hash: DEB12D3490425D9FCF11DFA5C841ADEBBB9FF48304F5081AAE808A7261D7399A85CF95
                                                                                  Function 0042120C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenu.USER32(00000000), ref: 004212F9
                                                                                  • SetMenu.USER32(00000000,00000000), ref: 00421316
                                                                                  • SetMenu.USER32(00000000,00000000), ref: 0042134B
                                                                                  • SetMenu.USER32(00000000,00000000), ref: 00421367
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu
                                                                                  • String ID:
                                                                                  • API String ID: 3711407533-0
                                                                                  • Opcode ID: cd3a93c2cf138dab4565f8db6c0a338113bdbac6dcb4a2090afdd25f9904c4a9
                                                                                  • Instruction ID: 5ba189b3e664db15440fa69ae7d8eea0be5862094bc30d9b2d5c91e26853f135
                                                                                  • Opcode Fuzzy Hash: cd3a93c2cf138dab4565f8db6c0a338113bdbac6dcb4a2090afdd25f9904c4a9
                                                                                  • Instruction Fuzzy Hash: A341913070025457EB20AB39A8857AA36A65B65748F4805BFFC45DF3A7CA7DCC49826C
                                                                                  Function 0044A784 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,00000000,00000000,00000000,0044A8C7,?,?,?,?), ref: 0044A81B
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0044A841
                                                                                  • DrawTextA.USER32(?,00000000,00000000,00000000,00000000), ref: 0044A86E
                                                                                  • 7427A480.USER32(00000000,?,0044A893,0044A88C,?,00000000,00000000,00000000,00000000,0044A8C7,?,?,?,?), ref: 0044A886
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 7427$A480A570DrawObjectSelectText
                                                                                  • String ID:
                                                                                  • API String ID: 2470156735-0
                                                                                  • Opcode ID: 13e7f46594410429415eb3c83e8a379f550846bd814c016b0beec29a33dfd232
                                                                                  • Instruction ID: 162fa924c01e8769bffc667adf009b74f6d8a2415f726b074ddb38969f1a9430
                                                                                  • Opcode Fuzzy Hash: 13e7f46594410429415eb3c83e8a379f550846bd814c016b0beec29a33dfd232
                                                                                  • Instruction Fuzzy Hash: 7A314C70E44208AFEB11EBA5C845F9EBBF9EB48304F5180B6F404E7291D7389E55CB19
                                                                                  Function 00416ADA Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,?,?,?), ref: 00416B1C
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00416B36
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00416B50
                                                                                  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$CallMessageProcSendTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 601730667-0
                                                                                  • Opcode ID: 1db9439961d16d8c2abea4fe5464b0a9e2b87304c89db61a0dbe8b2136cc1a78
                                                                                  • Instruction ID: ede9de0c36d47e69a987b7ca94d8f010d1f25b9d4ebdef75bfe2fd84eb8d61b5
                                                                                  • Opcode Fuzzy Hash: 1db9439961d16d8c2abea4fe5464b0a9e2b87304c89db61a0dbe8b2136cc1a78
                                                                                  • Instruction Fuzzy Hash: B11121B2204610AFC710EE6ECDC4E9777ECDF49314715882AB59ADB616C638FC418B69
                                                                                  Function 00423A1C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnumWindows.USER32(004239B4), ref: 00423A40
                                                                                  • GetWindow.USER32(?,00000003), ref: 00423A55
                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00423A64
                                                                                  • SetWindowPos.USER32(00000000,004240F4,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424143,?,?,00423D0B), ref: 00423A9A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$EnumLongWindows
                                                                                  • String ID:
                                                                                  • API String ID: 4191631535-0
                                                                                  • Opcode ID: a3dddf2818e85b0a7412034cdc93827fed5f39f9f86c9025a0e1ddd06f9f1a23
                                                                                  • Instruction ID: 78858b55759cffc047babf0828248a40a9e7283faaf25bc92fdcf5910b1e6d89
                                                                                  • Opcode Fuzzy Hash: a3dddf2818e85b0a7412034cdc93827fed5f39f9f86c9025a0e1ddd06f9f1a23
                                                                                  • Instruction Fuzzy Hash: 6F112A71704620AFEB10DF28D985F5677F8EB48725F11026AF9A4AB2E2C3789D40CB58
                                                                                  Function 00423060 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230B6
                                                                                  • EnumFontsA.GDI32(00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000,?,?,?,00000001), ref: 004230C9
                                                                                  • 74284620.GDI32(00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230D1
                                                                                  • 7427A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423000,004105E8,00000000,?,?,00000000,?,00418F6B,00000000), ref: 004230DC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 7427$74284620A480A570EnumFonts
                                                                                  • String ID:
                                                                                  • API String ID: 1607048897-0
                                                                                  • Opcode ID: 99f52810c9749a5cbd9ff2f136ef96ebea9bad732b838abe369f9f052bbb00dd
                                                                                  • Instruction ID: 480ad96ec471ac809db642ed0e84659cb32dc22bff5912eb34c1548d136fbca0
                                                                                  • Opcode Fuzzy Hash: 99f52810c9749a5cbd9ff2f136ef96ebea9bad732b838abe369f9f052bbb00dd
                                                                                  • Instruction Fuzzy Hash: 3A0192617043002AE710BF795C86B9B7B649F05319F54427BF904AA3C7DABE9805476E
                                                                                  Function 00459770 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0044FAC4: SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                                  • FlushFileBuffers.KERNEL32(?), ref: 004599B4
                                                                                  Strings
                                                                                  • NumRecs range exceeded, xrefs: 0045989F
                                                                                  • EndOffset range exceeded, xrefs: 004598D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$BuffersFlush
                                                                                  • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                  • API String ID: 3593489403-659731555
                                                                                  • Opcode ID: 1f2bc0606a5f0983b0ea1b8ab0875cedde292d15a2ed6b25246784c604d14e3d
                                                                                  • Instruction ID: 05f19677e5008765b15c4a6d8796d41a2b093650de1072065c8b92715952b680
                                                                                  • Opcode Fuzzy Hash: 1f2bc0606a5f0983b0ea1b8ab0875cedde292d15a2ed6b25246784c604d14e3d
                                                                                  • Instruction Fuzzy Hash: D6615F34A00258CBDB25DF25C841ADAB3B5EB49305F0085EBED49AB352D7B4AEC9CF54
                                                                                  Function 0048FB00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0048FB0E), ref: 0040334B
                                                                                    • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0048FB0E), ref: 00403356
                                                                                    • Part of subcall function 00409B10: 6FDA1CD0.COMCTL32(0048FB1D), ref: 00409B10
                                                                                    • Part of subcall function 004108EC: GetCurrentThreadId.KERNEL32 ref: 0041093A
                                                                                    • Part of subcall function 00418FD8: GetVersion.KERNEL32(0048FB31), ref: 00418FD8
                                                                                    • Part of subcall function 0044ECB8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048FB45), ref: 0044ECF3
                                                                                    • Part of subcall function 0044ECB8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044ECF9
                                                                                    • Part of subcall function 004517EC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 0045180C
                                                                                    • Part of subcall function 004517EC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451812
                                                                                    • Part of subcall function 004517EC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451885,?,?,?,?,00000000,?,0048FB4F), ref: 00451826
                                                                                    • Part of subcall function 004517EC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045182C
                                                                                    • Part of subcall function 0045F420: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0048FB63), ref: 0045F42F
                                                                                    • Part of subcall function 0045F420: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045F435
                                                                                    • Part of subcall function 00467010: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00467025
                                                                                    • Part of subcall function 00471A50: GetModuleHandleA.KERNEL32(kernel32.dll,?,0048FB6D), ref: 00471A56
                                                                                    • Part of subcall function 00471A50: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00471A63
                                                                                    • Part of subcall function 00471A50: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00471A73
                                                                                    • Part of subcall function 0048CAAC: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048CAB1
                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0048FBB5), ref: 0048FB87
                                                                                    • Part of subcall function 0048F910: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048FB91,00000001,00000000,0048FBB5), ref: 0048F91A
                                                                                    • Part of subcall function 0048F910: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0048F920
                                                                                    • Part of subcall function 0042446C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0042448B
                                                                                    • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                                  • ShowWindow.USER32(?,00000005,00000000,0048FBB5), ref: 0048FBF8
                                                                                    • Part of subcall function 0047A84C: SetActiveWindow.USER32(?), ref: 0047A8E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
                                                                                  • String ID: Setup
                                                                                  • API String ID: 1040181325-3839654196
                                                                                  • Opcode ID: 491b58e90ccc040da5be879388dfd3e873ea2da0a6ccdddc3a01f6d7e6a04dae
                                                                                  • Instruction ID: 05e04b58d559349a16389a7bed4b2658fb8c322911455d768caeccd37b77f3a0
                                                                                  • Opcode Fuzzy Hash: 491b58e90ccc040da5be879388dfd3e873ea2da0a6ccdddc3a01f6d7e6a04dae
                                                                                  • Instruction Fuzzy Hash: 9F31E2312046009FD3017BB7EC6391E37E8EB897187624C7BF904866A3DE3D58548A6E
                                                                                  Function 0042DA30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,?,00000000,0042DB51), ref: 0042DA68
                                                                                  • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,00000000,?,ProductType,00000000,?,00000000,?,00000000,0042DB51), ref: 0042DAC0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID: ProductType
                                                                                  • API String ID: 3660427363-120863269
                                                                                  • Opcode ID: 6bfb4fd44eca12809ce3db0115c22f98bfdaa3bb87c7abec4c6d98565b8ebe83
                                                                                  • Instruction ID: 720882c7ace9e3aee5e39c75bef508b614e07e55abf3e0c3cdebfe3487a701cd
                                                                                  • Opcode Fuzzy Hash: 6bfb4fd44eca12809ce3db0115c22f98bfdaa3bb87c7abec4c6d98565b8ebe83
                                                                                  • Instruction Fuzzy Hash: 47412A70E04118AFDF21DF95D895BEFBBB8EB05304F9185B7E410A7281D778AA44CB58
                                                                                  Function 00452020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045210F,?,?,00000000,00491628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452066
                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045210F,?,?,00000000,00491628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045206F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                  • String ID: .tmp
                                                                                  • API String ID: 1375471231-2986845003
                                                                                  • Opcode ID: b85b4929283630c48eadbf2cbebc30f3f6ab2d69d23499921ffdb8137f2e4c49
                                                                                  • Instruction ID: 243ebf4b46ba542f7f276c497d58c5d8c2b9d78763f1d6c9208d69dc09338b99
                                                                                  • Opcode Fuzzy Hash: b85b4929283630c48eadbf2cbebc30f3f6ab2d69d23499921ffdb8137f2e4c49
                                                                                  • Instruction Fuzzy Hash: DB216274A00208ABDB01EFA5C9529DFB7B9EB48304F50443BED01B7382DA7C9E048AA5
                                                                                  Function 0041EE3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                                  • 74285940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 74285940CurrentThread
                                                                                  • String ID: .cE
                                                                                  • API String ID: 3444323889-2247376771
                                                                                  • Opcode ID: 7114da14003f801617bc287ec153a09cbaa899a94acfa9cfc63b91c43064aad6
                                                                                  • Instruction ID: 741d75755e19a406a31988a48b10835d357054a8eb3752de669f6350f9a9ffb3
                                                                                  • Opcode Fuzzy Hash: 7114da14003f801617bc287ec153a09cbaa899a94acfa9cfc63b91c43064aad6
                                                                                  • Instruction Fuzzy Hash: EA012975A04704BFD725CF66EC1195ABBF8E789720B22887BEC04D36A0F6345910EE18
                                                                                  Function 00474F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00475196,00000000,004751AC,?,?,?,?,00000000), ref: 00474F72
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID: RegisteredOrganization$RegisteredOwner
                                                                                  • API String ID: 3535843008-1113070880
                                                                                  • Opcode ID: fb8125e15dd1e95c2c3fc40ad81d516763da28b9d41dee2f4fe7d1ea49f3ddbb
                                                                                  • Instruction ID: ca8d2858b2af6c6aeca06424934b203f0131d6be77ca3c38012645fb33a7432b
                                                                                  • Opcode Fuzzy Hash: fb8125e15dd1e95c2c3fc40ad81d516763da28b9d41dee2f4fe7d1ea49f3ddbb
                                                                                  • Instruction Fuzzy Hash: AAF09631708244ABDB00D6A5AD56BAA37999741304F10807BF2048B291D7BDAE01C75C
                                                                                  Function 0046EA14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046EC4B), ref: 0046EA39
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046EC4B), ref: 0046EA50
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                  • String ID: CreateFile
                                                                                  • API String ID: 2528220319-823142352
                                                                                  • Opcode ID: ad3004295afec78419ee0f198e40febc28fc91a26831ece3670bf70097c3d0fd
                                                                                  • Instruction ID: 88c410d2b993a7dea7f257b246bf4907bd6482aa96eec96fb2f66064e7706465
                                                                                  • Opcode Fuzzy Hash: ad3004295afec78419ee0f198e40febc28fc91a26831ece3670bf70097c3d0fd
                                                                                  • Instruction Fuzzy Hash: ECE06D34780304BBEA10E6A9CCC6F097788AB04728F108156FA44AF3E2C5B9EC808619
                                                                                  Function 00468C08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,p I,00000004,00000001,?,0046912F,?,?,00000000,004691D6,?,_is1,?), ref: 00468C1B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID: NoModify$p I
                                                                                  • API String ID: 3702945584-149964347
                                                                                  • Opcode ID: a2c7f905128bce9c85b7980fd93439cd1a7af668d1cf4a048e3beec408cb2ced
                                                                                  • Instruction ID: 5f17656b713328f70f4e7e69c90c4b9631954771e6a11acddfbeddc3ad8a7337
                                                                                  • Opcode Fuzzy Hash: a2c7f905128bce9c85b7980fd93439cd1a7af668d1cf4a048e3beec408cb2ced
                                                                                  • Instruction Fuzzy Hash: D9E04FB4641308BFEB04DB95CD4AF6B77ACDB48750F10415EBA04DB290EA74EE00C668
                                                                                  Function 00467010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042E1D0: SetErrorMode.KERNEL32(00008000), ref: 0042E1DA
                                                                                    • Part of subcall function 0042E1D0: LoadLibraryA.KERNEL32(00000000,00000000,0042E224,?,00000000,0042E242,?,00008000), ref: 0042E209
                                                                                  • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00467025
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLibraryLoadModeProc
                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                  • API String ID: 2492108670-2683653824
                                                                                  • Opcode ID: c1407b3ed417c14e9cb1d4a508e91d73624d96c2cf720aa64d80b2131ee11c1c
                                                                                  • Instruction ID: 4e6ef65d5c6372aab034aae14ce800510d414609db6ea871b3bf53974ffa5695
                                                                                  • Opcode Fuzzy Hash: c1407b3ed417c14e9cb1d4a508e91d73624d96c2cf720aa64d80b2131ee11c1c
                                                                                  • Instruction Fuzzy Hash: 12B092B062964582DE4067B2591272B210A974071CF50C43BB045AA699EB3D88056FAE
                                                                                  Function 00450B0C Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 755A1520.VERSION(00000000,?,?,?,0048E9CD), ref: 00450B2C
                                                                                  • 755A1500.VERSION(00000000,?,00000000,?,00000000,00450BA7,?,00000000,?,?,?,0048E9CD), ref: 00450B59
                                                                                  • 755A1540.VERSION(?,00450BD0,?,?,00000000,?,00000000,?,00000000,00450BA7,?,00000000,?,?,?,0048E9CD), ref: 00450B73
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: A1500A1520A1540
                                                                                  • String ID:
                                                                                  • API String ID: 2563864905-0
                                                                                  • Opcode ID: e74ac5882540819055a9b868d9ebfab0988b796822b5208a04ca06564a832d1d
                                                                                  • Instruction ID: b3f7e617e94dee12745bb0ae154e14247ba12b6e1b33dbbe84f386d4bcc14397
                                                                                  • Opcode Fuzzy Hash: e74ac5882540819055a9b868d9ebfab0988b796822b5208a04ca06564a832d1d
                                                                                  • Instruction Fuzzy Hash: 11216275A00549AFDB01DAE98C81EAFB7FCEB49305F55447AFC00E3282D679AE04CB65
                                                                                  Function 00424394 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004243AA
                                                                                  • TranslateMessage.USER32(?), ref: 00424427
                                                                                  • DispatchMessageA.USER32(?), ref: 00424431
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 4217535847-0
                                                                                  • Opcode ID: a1bcb0b4cddcccdb1809fa665ecf4e834a60a407fc84fe33fc01ef11a48cb8ff
                                                                                  • Instruction ID: f41f362f8b510b916e1250aa7cd67eb3d1bf5f1abd6c75054d9fad27ae384175
                                                                                  • Opcode Fuzzy Hash: a1bcb0b4cddcccdb1809fa665ecf4e834a60a407fc84fe33fc01ef11a48cb8ff
                                                                                  • Instruction Fuzzy Hash: 8911C43130432056EA20E664B94179BB7D4DFC0B44FD0481EF8C987382D3BD9E85879B
                                                                                  Function 004165DC Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetPropA.USER32(00000000,00000000), ref: 00416602
                                                                                  • SetPropA.USER32(00000000,00000000), ref: 00416617
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041663E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Prop$Window
                                                                                  • String ID:
                                                                                  • API String ID: 3363284559-0
                                                                                  • Opcode ID: abce75a93c7af2809daeccc10dca433874f6facc9e691e91c63ac67adcc77cdc
                                                                                  • Instruction ID: 7e53595c330ddd8fac250eff5939085705778a4fd4c28fed0557c4acc79c9eac
                                                                                  • Opcode Fuzzy Hash: abce75a93c7af2809daeccc10dca433874f6facc9e691e91c63ac67adcc77cdc
                                                                                  • Instruction Fuzzy Hash: 11F0BD71701220ABE710AF59DC85FA632ECAB0D715F16017ABE05EF296C679DD4087A8
                                                                                  Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocFree
                                                                                  • String ID: \~
                                                                                  • API String ID: 2087232378-1166203647
                                                                                  • Opcode ID: a63fe0f0864ed12356c05260577adb58acfda967faafabc8b78a16e1d04bad7e
                                                                                  • Instruction ID: bf7b13eafa23b8191e4305e5e68b9b030f4cda3e75454a5d70f9da2571521f57
                                                                                  • Opcode Fuzzy Hash: a63fe0f0864ed12356c05260577adb58acfda967faafabc8b78a16e1d04bad7e
                                                                                  • Instruction Fuzzy Hash: 23F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9
                                                                                  Function 0041EDEC Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(?), ref: 0041EDFC
                                                                                  • IsWindowEnabled.USER32(?), ref: 0041EE06
                                                                                  • EnableWindow.USER32(?,00000000), ref: 0041EE2C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$EnableEnabledVisible
                                                                                  • String ID:
                                                                                  • API String ID: 3234591441-0
                                                                                  • Opcode ID: 30cd10f9e6e6988f12bc522c3ddfac0ba0dd8a613fe51e8cb5c9acb32a7f50cd
                                                                                  • Instruction ID: b74782cb620cf7184d956329234e82953052207085a66aea4c88563df6020a5c
                                                                                  • Opcode Fuzzy Hash: 30cd10f9e6e6988f12bc522c3ddfac0ba0dd8a613fe51e8cb5c9acb32a7f50cd
                                                                                  • Instruction Fuzzy Hash: 9CE0ED741003006EE720EB27DDC1A5B76ACAB15354F51843BEC09AB292D639D8408E7C
                                                                                  Function 0047A84C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetActiveWindow.USER32(?), ref: 0047A8E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ActiveWindow
                                                                                  • String ID: InitializeWizard
                                                                                  • API String ID: 2558294473-2356795471
                                                                                  • Opcode ID: 5d27466cebfbd2aa7d2215f696880c43dc2b5c0733d824ec7b71431b4b67c958
                                                                                  • Instruction ID: 4ef4d0f5891c0f271f91b124662a3bdbc4c54ac07b4307d288165ee679e51438
                                                                                  • Opcode Fuzzy Hash: 5d27466cebfbd2aa7d2215f696880c43dc2b5c0733d824ec7b71431b4b67c958
                                                                                  • Instruction Fuzzy Hash: CE11E571608205AFD304EB29EC41B5E37E4E755368F11487BF408873B1DB7A6814CB0E
                                                                                  Function 00474E2C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00475072,00000000,004751AC), ref: 00474E71
                                                                                  Strings
                                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 00474E41
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                  • API String ID: 47109696-1019749484
                                                                                  • Opcode ID: 9ce991fdd72377c6560612b01921262f802a1c998dfb1707908bf7020ea89cf1
                                                                                  • Instruction ID: 5e7d8204e1387e5276ff1e1c15c303683ce0c16dca96b1678201da73bf853054
                                                                                  • Opcode Fuzzy Hash: 9ce991fdd72377c6560612b01921262f802a1c998dfb1707908bf7020ea89cf1
                                                                                  • Instruction Fuzzy Hash: 82F0823270421467DA00A65A5C42BAEA69DABD4778F60403BF508EB242DBB99E0243AD
                                                                                  Function 00468B98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00492070,?,00468D8F,?,00000000,004691D6,?,_is1), ref: 00468BBB
                                                                                  Strings
                                                                                  • Inno Setup: Setup Version, xrefs: 00468BB9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID: Inno Setup: Setup Version
                                                                                  • API String ID: 3702945584-4166306022
                                                                                  • Opcode ID: 55bc7da4cd8946349a8deaf42b7ea84ae745bbd3c125ab1bd1090d5bf08d9b73
                                                                                  • Instruction ID: 1b93d253739ba50d70b0c298aadec07ca201889e3bbe27255cf69d985455c9ee
                                                                                  • Opcode Fuzzy Hash: 55bc7da4cd8946349a8deaf42b7ea84ae745bbd3c125ab1bd1090d5bf08d9b73
                                                                                  • Instruction Fuzzy Hash: E7E06D713412043FD710AA6E9C85F6BBBDCDF98765F10453AB908DB392D978DD0082A8
                                                                                  Function 0042DC34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  Strings
                                                                                  • System\CurrentControlSet\Control\Windows, xrefs: 0042DC4E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID: System\CurrentControlSet\Control\Windows
                                                                                  • API String ID: 71445658-1109719901
                                                                                  • Opcode ID: 9e5b345e785c91b0f5a571fec93a41b1f6e0275645f0b6ae19fc6c92cfbd1549
                                                                                  • Instruction ID: 1fa36bbc138ef5df8a79d56ad3489f1352038e5699f18f1501d42a01d3325c1b
                                                                                  • Opcode Fuzzy Hash: 9e5b345e785c91b0f5a571fec93a41b1f6e0275645f0b6ae19fc6c92cfbd1549
                                                                                  • Instruction Fuzzy Hash: ECD0C772910128BBDB10DA89DC41DF7775DDB59760F44401AFD0497141C1B4EC5197F4
                                                                                  Function 0042DCD8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDD6,?,?,00000008,00000000,00000000,0042DE03), ref: 0042DD6C
                                                                                  • RegCloseKey.ADVAPI32(?,0042DDDD,?,00000000,00000000,00000000,00000000,00000000,0042DDD6,?,?,00000008,00000000,00000000,0042DE03), ref: 0042DDD0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseEnumOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1332880857-0
                                                                                  • Opcode ID: 73c2a03e679bf25bdfde315833b36e1b00f0765a82adf2df881adb15c1f56b70
                                                                                  • Instruction ID: f99dc329d23035621923b5d2a774476ca06079cc80924e5db7f10a2c30e205d1
                                                                                  • Opcode Fuzzy Hash: 73c2a03e679bf25bdfde315833b36e1b00f0765a82adf2df881adb15c1f56b70
                                                                                  • Instruction Fuzzy Hash: 5531A370F04648AEDF11DFA2DD52BBFBBB9EB49304F90447BA400F6281D6385A01CA69
                                                                                  Function 0040AF60 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF7A
                                                                                  • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0D7,00000000,0040B0EF,?,?,00000000,00000000), ref: 0040AF8B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindFree
                                                                                  • String ID:
                                                                                  • API String ID: 4097029671-0
                                                                                  • Opcode ID: 7496c189695d688fdff99332259dad1589d6eadf15039624863e1fafd028cd3d
                                                                                  • Instruction ID: 0b65737a95a802b673eb4701f613ec416807bcfd10e803f651e899918fb15a2b
                                                                                  • Opcode Fuzzy Hash: 7496c189695d688fdff99332259dad1589d6eadf15039624863e1fafd028cd3d
                                                                                  • Instruction Fuzzy Hash: 8401F7B1304305AFEB01EF65DC92E5A77ADDB497187118077F500EB2D0D63A9C11972A
                                                                                  Function 0045127C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 004512BE
                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,004512E4), ref: 004512C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastMove
                                                                                  • String ID:
                                                                                  • API String ID: 55378915-0
                                                                                  • Opcode ID: 326e839074a7fabb4a6fe387ff7347aa7085a5f6dae100b7999874b6cc7046d8
                                                                                  • Instruction ID: 4b1b8153bfe220907ace0ac351b5803590bb163904822851c8eb884620ab5cc8
                                                                                  • Opcode Fuzzy Hash: 326e839074a7fabb4a6fe387ff7347aa7085a5f6dae100b7999874b6cc7046d8
                                                                                  • Instruction Fuzzy Hash: 9501FE71B042046F8B01DFB95C415AEB7FCDB88315B5045B7FC04F3652E6785D08455D
                                                                                  Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeVirtual
                                                                                  • String ID: \~
                                                                                  • API String ID: 1263568516-1166203647
                                                                                  • Opcode ID: 6e91187b7332a9de29bf17c99eed288b4db39574d0e8835f7149b85b29ec7ccb
                                                                                  • Instruction ID: ed9b70f4bfbb0542158bd2f105c25c4ab5b5cc705db22fdb5c1542855cbe69d3
                                                                                  • Opcode Fuzzy Hash: 6e91187b7332a9de29bf17c99eed288b4db39574d0e8835f7149b85b29ec7ccb
                                                                                  • Instruction Fuzzy Hash: D901FC766442148FC3109E29DCC0E2677E8D794378F15453EDA95673A1D37A6C0187D8
                                                                                  Function 00450D6C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00450DCB), ref: 00450DA5
                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00450DCB), ref: 00450DAD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1375471231-0
                                                                                  • Opcode ID: a8f3aab3da5e49bc1cc7ae1ed24efa0b6e0ae9f04d9ab1d7d32c9ae69be7706f
                                                                                  • Instruction ID: 8d0fd8431dd01b07f2e057170897cb65e7043a318c548b557aaaf859c49bc1d1
                                                                                  • Opcode Fuzzy Hash: a8f3aab3da5e49bc1cc7ae1ed24efa0b6e0ae9f04d9ab1d7d32c9ae69be7706f
                                                                                  • Instruction Fuzzy Hash: 92F0C876A04608BFDB11EFF59C415AEB7F8DB09325B5049B7FC04E3282E6396E188598
                                                                                  Function 004231D4 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 004231E1
                                                                                  • LoadCursorA.USER32(00000000,00000000), ref: 0042320B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CursorLoad
                                                                                  • String ID:
                                                                                  • API String ID: 3238433803-0
                                                                                  • Opcode ID: 75bc9bdbe08c2d970092a5246113edb2c82e11a14534848da190b62e376ac7a0
                                                                                  • Instruction ID: c216e742746fd48a7e71b88d4d8d1f08d0288b379413097872f84a35904d072c
                                                                                  • Opcode Fuzzy Hash: 75bc9bdbe08c2d970092a5246113edb2c82e11a14534848da190b62e376ac7a0
                                                                                  • Instruction Fuzzy Hash: 97F02711700250AAD6109E3E6CC1A2A76A8DB82735B72037BFA3AD32D1CA2E5C414179
                                                                                  Function 0042E1D0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 0042E1DA
                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0042E224,?,00000000,0042E242,?,00008000), ref: 0042E209
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                  • String ID:
                                                                                  • API String ID: 2987862817-0
                                                                                  • Opcode ID: c74b51fe89b54973e6d6af767e65af794be13bcce0c1b540c4036a39c29beee6
                                                                                  • Instruction ID: f80bc88786ffee16906ee1cbc6f5a5dfb0de3d8b81ccbeda7050d0d84746be81
                                                                                  • Opcode Fuzzy Hash: c74b51fe89b54973e6d6af767e65af794be13bcce0c1b540c4036a39c29beee6
                                                                                  • Instruction Fuzzy Hash: 3BF08270714744BEDB019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939
                                                                                  Function 0044FA90 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,00000080,00469D25,?,00000000), ref: 0044FAA6
                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000002,?,00000080,00469D25,?,00000000), ref: 0044FAAE
                                                                                    • Part of subcall function 0044F84C: GetLastError.KERNEL32(0044F668,0044F90E,?,00000000,?,0048EEF4,00000001,00000000,00000002,00000000,0048F028,?,?,00000005,00000000,0048F05C), ref: 0044F84F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 1156039329-0
                                                                                  • Opcode ID: 66d8d2571b6d9c9182f66046bc7c24ec16b6b3f9d7b5b3c91b7e7c906b8499e0
                                                                                  • Instruction ID: dc2cc91d022b993bb9419ccf16811074cfb412fa6d4f5818e5344dbdd2536412
                                                                                  • Opcode Fuzzy Hash: 66d8d2571b6d9c9182f66046bc7c24ec16b6b3f9d7b5b3c91b7e7c906b8499e0
                                                                                  • Instruction Fuzzy Hash: 24E012B23142016BFB10EAB599C2F3B22DCDB44314F00457AB648DE287E674CC058B65
                                                                                  Function 004767D4 Relevance: 1.6, APIs: 1, Instructions: 125windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendNotifyMessageA.USER32(0001043E,00000496,00002711,00000000), ref: 00476981
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageNotifySend
                                                                                  • String ID:
                                                                                  • API String ID: 3556456075-0
                                                                                  • Opcode ID: 70efed1c4315a37954a4eada347154322bbb8374bb31cc1d7421cf403e77fac0
                                                                                  • Instruction ID: ce85a3f25e29e8795c44f1ed81d72edd15c5c256e4fde433e3fba35f83edee42
                                                                                  • Opcode Fuzzy Hash: 70efed1c4315a37954a4eada347154322bbb8374bb31cc1d7421cf403e77fac0
                                                                                  • Instruction Fuzzy Hash: BC4184B4600000ABCB01FF66ED8254B3B9AAB50309755C577A508AF3B7CA7CDD068B9D
                                                                                  Function 0040856C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,004086A2), ref: 0040858B
                                                                                    • Part of subcall function 00406D7C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D99
                                                                                    • Part of subcall function 004084F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1658689577-0
                                                                                  • Opcode ID: ec077f70c423e742a57cde7fe61168d436679bb3f9a4331c259d2b71bff546c5
                                                                                  • Instruction ID: f14e446589c7b2821558283ee76cbc32656574477ad454b613744791b3cb0744
                                                                                  • Opcode Fuzzy Hash: ec077f70c423e742a57cde7fe61168d436679bb3f9a4331c259d2b71bff546c5
                                                                                  • Instruction Fuzzy Hash: B0314F35E0010A9FCB00DB55C8819EEB779EF84314F51857BE815BB296E738AE018B98
                                                                                  Function 0041FB34 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoScroll
                                                                                  • String ID:
                                                                                  • API String ID: 629608716-0
                                                                                  • Opcode ID: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                                                                  • Instruction ID: b99c7564aaa2165f0350f3b3a8cb5fa8abdd766088343814f3ecbe0bf240b0fd
                                                                                  • Opcode Fuzzy Hash: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                                                                  • Instruction Fuzzy Hash: 7B2142B16087456FC340DF39C4406A6BBE4BB48344F048A3EE498C3741D778E996CBD6
                                                                                  Function 0046671C Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041EE3C: GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                                    • Part of subcall function 0041EE3C: 74285940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                                  • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046677A,?,00000000,?,?,0046697F,?,00000000,004669BE), ref: 0046675E
                                                                                    • Part of subcall function 0041EEF0: IsWindow.USER32(?), ref: 0041EEFE
                                                                                    • Part of subcall function 0041EEF0: EnableWindow.USER32(?,00000001), ref: 0041EF0D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$74285940CurrentEnablePathPrepareThreadWrite
                                                                                  • String ID:
                                                                                  • API String ID: 1215381881-0
                                                                                  • Opcode ID: 83a08173aec7ac216bab6100ce2b7e9597a3104a8217ef6e8404317d0b0b416d
                                                                                  • Instruction ID: 04c01a9ff29008d4721837e79f174a1df7be570425d0b7f966994dd3cdc76343
                                                                                  • Opcode Fuzzy Hash: 83a08173aec7ac216bab6100ce2b7e9597a3104a8217ef6e8404317d0b0b416d
                                                                                  • Instruction Fuzzy Hash: 11F02774208304BFE7059B72EC17B257BECE31871AF62447BF409C6590EA799C40CA1D
                                                                                  Function 00440A24 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3934441357-0
                                                                                  • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                  • Instruction ID: 50f4ac4be647669ab6f74869d4f7439b47092d0ed037b823dcc0415f1adf503d
                                                                                  • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                  • Instruction Fuzzy Hash: FAF06D30504209DBEF1CCF68D0619AF77B1EB68700B24846FE647A7390DA34AF20D658
                                                                                  Function 004164E8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041651D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 37ab0cd48537a58929e3c8fcf0b95003e200bb7ebbb158e83a9db119e5dd7d08
                                                                                  • Instruction ID: 7b826a0fe65a8fd7b5428e982f0fd04f84c52168a395b6215e34099a37556f80
                                                                                  • Opcode Fuzzy Hash: 37ab0cd48537a58929e3c8fcf0b95003e200bb7ebbb158e83a9db119e5dd7d08
                                                                                  • Instruction Fuzzy Hash: CFF025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF25AD225EC508BB0
                                                                                  Function 0041494C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414987
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                  • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                  • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                  • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                  Function 0042CBA0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A,00000000,00451021,00000000,00451042,?,00000000), ref: 0042CBCB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesCharFilePrev
                                                                                  • String ID:
                                                                                  • API String ID: 4082512850-0
                                                                                  • Opcode ID: 2b26956367c8f6e622811080fef34c0f03e214d0e70f38de719cb12a16bd4f0b
                                                                                  • Instruction ID: 74b243856bc5622d6abb531dde7ce5b14d401d40d7487e0850c127eadd6c7fbb
                                                                                  • Opcode Fuzzy Hash: 2b26956367c8f6e622811080fef34c0f03e214d0e70f38de719cb12a16bd4f0b
                                                                                  • Instruction Fuzzy Hash: 56E06571304708BFD701EB66EC93E5EBBACDB45B14B914876F400D7541E579AE00C418
                                                                                  Function 0044F95C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044F99C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 22c4a825166e9a110fa0cd7145a43304d6f70ecd84d601db30af9a86520ccae1
                                                                                  • Instruction ID: bc5deea9494c1ef366a15eb1db6f809752da2ad0dcb78da92ab8c753fee697c5
                                                                                  • Opcode Fuzzy Hash: 22c4a825166e9a110fa0cd7145a43304d6f70ecd84d601db30af9a86520ccae1
                                                                                  • Instruction Fuzzy Hash: 03E012A53941483FE340EEAC6C42FA777DC9759754F008033B998D7242D5719D158BA8
                                                                                  Function 0042E650 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1306739567-0
                                                                                  • Opcode ID: 3d63e4b2211c5c4580dd321211c265d2c7427675a3424bd7ccfe827561558476
                                                                                  • Instruction ID: d34465c294f68e8ea137c3ae429806dbcaeebb59bcd6a0203419814785322f26
                                                                                  • Opcode Fuzzy Hash: 3d63e4b2211c5c4580dd321211c265d2c7427675a3424bd7ccfe827561558476
                                                                                  • Instruction Fuzzy Hash: 11E0D8613843111AF22510666C4BB7A12098790704F9480263A10DE3D6D9AE990A029D
                                                                                  Function 004062F0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExA.USER32(00000000,00423614,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 00406319
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 91f371f92b4458d2df6fdff22a0a0aebc7ca7ebc2921950a35465f01e5b4a3fd
                                                                                  • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                  • Opcode Fuzzy Hash: 91f371f92b4458d2df6fdff22a0a0aebc7ca7ebc2921950a35465f01e5b4a3fd
                                                                                  • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                  Function 0042DBFC Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC28
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 771921d5586258fcecee2eeabb95e92086465f64ffd46d687e1536bcf760dc82
                                                                                  • Instruction ID: 3b99b25f9e5c03d05328e8fe2c64a6fa7055fc0d331177c1988bf00159f0e0ef
                                                                                  • Opcode Fuzzy Hash: 771921d5586258fcecee2eeabb95e92086465f64ffd46d687e1536bcf760dc82
                                                                                  • Instruction Fuzzy Hash: E7E07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4
                                                                                  Function 004530B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindClose.KERNEL32(00000000,000000FF,0046A501,00000000,0046B26C,?,00000000,0046B2B5,?,00000000,0046B3EE,?,00000000,?,00000000), ref: 004530C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 1863332320-0
                                                                                  • Opcode ID: 2c6ddf738556e338986e659285bcd6dfb00f351da6fb89af47a9dd122954ab10
                                                                                  • Instruction ID: 7bf8de0c1ab9b25c79a4700b9c6461219ded52c1b8285e3da27c8b81d6763f8b
                                                                                  • Opcode Fuzzy Hash: 2c6ddf738556e338986e659285bcd6dfb00f351da6fb89af47a9dd122954ab10
                                                                                  • Instruction Fuzzy Hash: 82E09B706047008BCB14DF3A84C031677D55F85321F14C96AEC58CB3D7D63D84595627
                                                                                  Function 00414614 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(0048C96E,?,0048C990,?,?,00000000,0048C96E,?,?), ref: 00414633
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                  • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                  • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                  • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                  Function 00406AD0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,00000000,?,0042C575,00000000,0042C592,?,?,00000000,?,00000000), ref: 00406AFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CompareString
                                                                                  • String ID:
                                                                                  • API String ID: 1825529933-0
                                                                                  • Opcode ID: df285a787a91df0510c1b9470b4c8139cfb679af50247b72370c3382fb6dd8d5
                                                                                  • Instruction ID: f6665c11947ada4625099ec4a58cd3d7eb013588aad78fe549ce1534c5c33ddb
                                                                                  • Opcode Fuzzy Hash: df285a787a91df0510c1b9470b4c8139cfb679af50247b72370c3382fb6dd8d5
                                                                                  • Instruction Fuzzy Hash: DAD092D17416203BD250BA7E1C82F5B48CC8B1861FF00413AB208FB2D2C97C8F0512AE
                                                                                  Function 00406EA0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406EB4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3934441357-0
                                                                                  • Opcode ID: 92616a0c773315b94590898aa4a0ca2ce8d2617e301858a5bf41299c043ccb5c
                                                                                  • Instruction ID: 98287354acb22086ad025a87a5fb6bfac30b4272d3533434fd3a97b42b2db627
                                                                                  • Opcode Fuzzy Hash: 92616a0c773315b94590898aa4a0ca2ce8d2617e301858a5bf41299c043ccb5c
                                                                                  • Instruction Fuzzy Hash: 31D05B763082507AD620D65BAC44DA76BDCCBC5771F11063EB558C71C1D6309C05C675
                                                                                  Function 004235E4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00423590: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004235A5
                                                                                  • ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                                    • Part of subcall function 004235C0: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235DC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoParametersSystem$ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3202724764-0
                                                                                  • Opcode ID: ea5c51de61202d4cbe2ae5b45e3e6aecf36d28bcb10aa4749c74ef1363364b60
                                                                                  • Instruction ID: a662ef4f7fcd77f552cbdab35d39622d28ddb6582f0ddf195742295e2ae327b8
                                                                                  • Opcode Fuzzy Hash: ea5c51de61202d4cbe2ae5b45e3e6aecf36d28bcb10aa4749c74ef1363364b60
                                                                                  • Instruction Fuzzy Hash: 2AD05E123412303142203ABB3846A8B46EC4E826AA388082BB4588B307F91DCB5110BC
                                                                                  Function 0042425C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: TextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 530164218-0
                                                                                  • Opcode ID: 36b264f0e85ca0497b7533c4a2d884e72b17b15a39c48fd07fabef73c721ee64
                                                                                  • Instruction ID: 663572d81262a5d08488ee3295b79aee4309efab1bd3e886e296d112243a7649
                                                                                  • Opcode Fuzzy Hash: 36b264f0e85ca0497b7533c4a2d884e72b17b15a39c48fd07fabef73c721ee64
                                                                                  • Instruction Fuzzy Hash: EDD05BE270112067DB01BAFD54C4AC567CC4B4C25671440F7F904EF257C638CD444358
                                                                                  Function 0042CBF8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,004506CB,00000000), ref: 0042CC03
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: b82088c33142265142d744e40a3ebc9261dedbc0120b4c7c3ff31406e957a02f
                                                                                  • Instruction ID: 4da38584ad50f151178bae3f15839ff320953b9c4e9bd814279b6e5613fcdaee
                                                                                  • Opcode Fuzzy Hash: b82088c33142265142d744e40a3ebc9261dedbc0120b4c7c3ff31406e957a02f
                                                                                  • Instruction Fuzzy Hash: 35C08CE13022001A9A1065BF2CC510F02C8891427A3A41F37F52EE33D2D27D88972018
                                                                                  Function 004618C0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046252C,00000000,00000000,00000000,0000000C,00000000), ref: 004618D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                  • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                  • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                  • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                  Function 00406E50 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A85C,0040CE08,?,00000000,?), ref: 00406E6D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 7bbeac652bf9e26ddfb98cc5c061e88f67395af84d53f70b81aae82e01874d08
                                                                                  • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                  • Opcode Fuzzy Hash: 7bbeac652bf9e26ddfb98cc5c061e88f67395af84d53f70b81aae82e01874d08
                                                                                  • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                  Function 00407238 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,0048EE82,00000000,0048F028,?,?,00000005,00000000,0048F05C,?,?,00000000), ref: 00407243
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 1611563598-0
                                                                                  • Opcode ID: 3293b503d2b4bba4523f910328dc84df787013104046f63be089ad99c5d39bd1
                                                                                  • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                  • Opcode Fuzzy Hash: 3293b503d2b4bba4523f910328dc84df787013104046f63be089ad99c5d39bd1
                                                                                  • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                  Function 0044FAC4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                                    • Part of subcall function 0044F84C: GetLastError.KERNEL32(0044F668,0044F90E,?,00000000,?,0048EEF4,00000001,00000000,00000002,00000000,0048F028,?,?,00000005,00000000,0048F05C), ref: 0044F84F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLast
                                                                                  • String ID:
                                                                                  • API String ID: 734332943-0
                                                                                  • Opcode ID: f3253332dbee4df14b0fa8e56291b2723a02f29b840123db82c78c33d7d8b1a0
                                                                                  • Instruction ID: e17404963d9210faf7bcd6b13e10806e7cc740a865de794c8846e8a802dfbf25
                                                                                  • Opcode Fuzzy Hash: f3253332dbee4df14b0fa8e56291b2723a02f29b840123db82c78c33d7d8b1a0
                                                                                  • Instruction Fuzzy Hash: A1C04C61300500479F40A6AE95C190763DC9E193443104176B508DF217E7A8D8084A14
                                                                                  Function 0042E22B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,0042E249), ref: 0042E23C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: c0de3002351084fed35947dfb05fc57a340f91e1d3d115e6b2476f16dcfad9f3
                                                                                  • Instruction ID: 2ee822bca7ba236112451c470c82c212b188af11444a75795fab687286b6ff04
                                                                                  • Opcode Fuzzy Hash: c0de3002351084fed35947dfb05fc57a340f91e1d3d115e6b2476f16dcfad9f3
                                                                                  • Instruction Fuzzy Hash: B9B09B7670C6009DB705D6D7745552D63D8E7C47203E145B7F001D2580D53C58004928
                                                                                  Function 00416584 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 74285
                                                                                  • String ID:
                                                                                  • API String ID: 3433674075-0
                                                                                  • Opcode ID: a2d1db5538ea73db18434c02c596e0264b6757647316809c0a4cc46386525ad0
                                                                                  • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                  • Opcode Fuzzy Hash: a2d1db5538ea73db18434c02c596e0264b6757647316809c0a4cc46386525ad0
                                                                                  • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                  Function 00447D98 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2e11252c8f068e5f320711ec4437e236dee30acc7c9f989bb20503d622e83fae
                                                                                  • Instruction ID: 20a0716fe555351ae53ec84aea0f5e33c65c2cb82e29988a222a4db77543fb3e
                                                                                  • Opcode Fuzzy Hash: 2e11252c8f068e5f320711ec4437e236dee30acc7c9f989bb20503d622e83fae
                                                                                  • Instruction Fuzzy Hash: 13519674E041099FEB00EFA5C482AAEBBF5EF49314F508176E500E7351C7389D46CB98
                                                                                  Function 0045AFE0 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045B070
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 599c4b535e658b18ce22dfb26852a359f3d9c44e721798897f1f4c57bfe86861
                                                                                  • Instruction ID: 197fa13a5db15f324c13d3003a06a4b5d4309829e3554a7131eac32aa72e2ed3
                                                                                  • Opcode Fuzzy Hash: 599c4b535e658b18ce22dfb26852a359f3d9c44e721798897f1f4c57bfe86861
                                                                                  • Instruction Fuzzy Hash: 0F1187712002049BDB00EF19C88175B3794EF8475AF05856EFD589B2C7DB78EC498BAA
                                                                                  Function 0041F35C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED3C,?,00423827,00423BA4,0041ED3C), ref: 0041F37A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 829857cc50c614b9e4f58a30b7f57fd45941c254744d41e4bd2888d1a2500faf
                                                                                  • Instruction ID: 8a2b48c0a32b80b38b78727057d1ce8dd7083e6c405f33ac42e4b13742b40a44
                                                                                  • Opcode Fuzzy Hash: 829857cc50c614b9e4f58a30b7f57fd45941c254744d41e4bd2888d1a2500faf
                                                                                  • Instruction Fuzzy Hash: 7D1148746403099BCB10DF19C880B86FBE4EF98350B14C53AE9A88B395D374E849CBA9
                                                                                  Function 004515C0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,00451629), ref: 0045160B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1452528299-0
                                                                                  • Opcode ID: d71cf34c5828d9ab60ceca327b57a691e20f5cf8e6f4fa27d2de5408e2dec814
                                                                                  • Instruction ID: d98855298e7be5a9d3f0d35184012b30359fd13790d4aac9ca9123f51ad7e951
                                                                                  • Opcode Fuzzy Hash: d71cf34c5828d9ab60ceca327b57a691e20f5cf8e6f4fa27d2de5408e2dec814
                                                                                  • Instruction Fuzzy Hash: AB0120356042486F8B11DFA99C115EEFBFCDB8932075482B7FC68D3352D6345D0996A4
                                                                                  Function 0045AF88 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,0045B066), ref: 0045AF9F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1263568516-0
                                                                                  • Opcode ID: 4fff5a565df2a14c4f13934edac0ba2ab1e2a907cd2c7c546594f35b7a1beb1f
                                                                                  • Instruction ID: b2c012dc50c3b33fb63eb55dcfc4a1bd2d8c3457cbd87c502616eb3b37b5a2f2
                                                                                  • Opcode Fuzzy Hash: 4fff5a565df2a14c4f13934edac0ba2ab1e2a907cd2c7c546594f35b7a1beb1f
                                                                                  • Instruction Fuzzy Hash: 85D0E9B17557045FEF90EE798CC1B0637D8BB48701F5045766904DB286E674E8148A18
                                                                                  Function 00406ED8 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 15fad48b423db95c67f8573259d9b999d60fad3f65fc35ec82f38a96773d5811
                                                                                  • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                  • Opcode Fuzzy Hash: 15fad48b423db95c67f8573259d9b999d60fad3f65fc35ec82f38a96773d5811
                                                                                  • Instruction Fuzzy Hash:

                                                                                  Non-executed Functions

                                                                                  Function 0044A9DC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0044A988: GetVersionExA.KERNEL32(00000094), ref: 0044A9A5
                                                                                  • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044ECE9,0048FB45), ref: 0044AA03
                                                                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AA1B
                                                                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AA2D
                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AA3F
                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AA51
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA63
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA75
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AA87
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AA99
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AAAB
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AABD
                                                                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AACF
                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AAE1
                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AAF3
                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AB05
                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AB17
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AB29
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AB3B
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044AB4D
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044AB5F
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044AB71
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044AB83
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044AB95
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044ABA7
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044ABB9
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044ABCB
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044ABDD
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044ABEF
                                                                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044AC01
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044AC13
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044AC25
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044AC37
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044AC49
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044AC5B
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044AC6D
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044AC7F
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044AC91
                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044ACA3
                                                                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044ACB5
                                                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044ACC7
                                                                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044ACD9
                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044ACEB
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044ACFD
                                                                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044AD0F
                                                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044AD21
                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044AD33
                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044AD45
                                                                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044AD57
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoadVersion
                                                                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                  • API String ID: 1968650500-2910565190
                                                                                  • Opcode ID: 084753db628814d796f6e1744ff6ef675f0221a40e53642cc3db85f155f885ca
                                                                                  • Instruction ID: c1c72b5d215d487091b309bcaa4aaadaea684569810ba268cdf215e5f5524652
                                                                                  • Opcode Fuzzy Hash: 084753db628814d796f6e1744ff6ef675f0221a40e53642cc3db85f155f885ca
                                                                                  • Instruction Fuzzy Hash: 3F91D7F0A80B51EBEF00EBF598C6A2636A8EB15B14714457BB414EF2A5D67C8814CF1E
                                                                                  Function 00456538 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 0045659F
                                                                                  • QueryPerformanceCounter.KERNEL32(02163858,00000000,00456832,?,?,02163858,00000000,?,00456F2E,?,02163858,00000000), ref: 004565A8
                                                                                  • GetSystemTimeAsFileTime.KERNEL32(02163858,02163858), ref: 004565B2
                                                                                  • GetCurrentProcessId.KERNEL32(?,02163858,00000000,00456832,?,?,02163858,00000000,?,00456F2E,?,02163858,00000000), ref: 004565BB
                                                                                  • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456631
                                                                                  • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02163858,02163858), ref: 0045663F
                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00490A80,00000003,00000000,00000000,00000000,004567EE), ref: 00456687
                                                                                  • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004567DD,?,00000000,C0000000,00000000,00490A80,00000003,00000000,00000000,00000000,004567EE), ref: 004566C0
                                                                                    • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456769
                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045679F
                                                                                  • CloseHandle.KERNEL32(000000FF,004567E4,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004567D7
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                  • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$h$helper %d 0x%x
                                                                                  • API String ID: 770386003-3739555822
                                                                                  • Opcode ID: 6e4651e0049ff0662e734541730ef5df36c808c886455675b05c3a93692a2f1b
                                                                                  • Instruction ID: eb727a0c2a66d2e753eb8e5ee9f6a175ca6c37c62ae894730643be17e5060682
                                                                                  • Opcode Fuzzy Hash: 6e4651e0049ff0662e734541730ef5df36c808c886455675b05c3a93692a2f1b
                                                                                  • Instruction Fuzzy Hash: 977146B0900348AEDB10DF65CC45B9EBBF8EB09305F5185BAF904EB292D7789944CF69
                                                                                  Function 0042DE9C Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AllocateAndInitializeSid.ADVAPI32(00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DED6
                                                                                  • GetVersion.KERNEL32(00000000,0042E080,?,00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF3
                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E080,?,00490788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF0C
                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF12
                                                                                  • FreeSid.ADVAPI32(00000000,0042E087,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E07A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                  • API String ID: 1717332306-1888249752
                                                                                  • Opcode ID: c119322378d3e059ccaff1cd9edb99b5266ab2f2a1737f3946cf2f6fb6988120
                                                                                  • Instruction ID: aab75c2d3d4471c1c2eeed79e6c2560655bdf87990a10d1ca6ffa6bcff95bbc8
                                                                                  • Opcode Fuzzy Hash: c119322378d3e059ccaff1cd9edb99b5266ab2f2a1737f3946cf2f6fb6988120
                                                                                  • Instruction Fuzzy Hash: 6851C471B04625AEDB10EAE69C42FBF77ACEB08704F94047BB500F7282C5BCD906866D
                                                                                  Function 0047138C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004713DF
                                                                                  • GetLastError.KERNEL32(-00000010,?), ref: 004713E8
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00471435
                                                                                  • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00471459
                                                                                  • CloseHandle.KERNEL32(00000000,0047148A,00000000,00000000,000000FF,000000FF,00000000,00471483,?,-00000010,?), ref: 0047147D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                                                                  • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                  • API String ID: 171997614-221126205
                                                                                  • Opcode ID: fa73161be6b6090d123151f3305e67f557baf9ad665618376936e9eb16b8b0d2
                                                                                  • Instruction ID: f321ecab20c0453dbb4e96fa9d5d064587d1392c5a69a60889680490007c30e8
                                                                                  • Opcode Fuzzy Hash: fa73161be6b6090d123151f3305e67f557baf9ad665618376936e9eb16b8b0d2
                                                                                  • Instruction Fuzzy Hash: 94218670A00204AADB10EBED9842BDE76A8EB04318F50853BF508E72A2DB7C8D458B5D
                                                                                  Function 004227F4 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 0042298C
                                                                                  • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B56), ref: 0042299C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1631623395-0
                                                                                  • Opcode ID: af69bf56686823918ec6bec0a9a48de28d4fe3b3c96ddddc7fc059f4f302e593
                                                                                  • Instruction ID: 66e5415131971ea9188ed11aea93af7775a9f98163e3ab9f7913674309157a5d
                                                                                  • Opcode Fuzzy Hash: af69bf56686823918ec6bec0a9a48de28d4fe3b3c96ddddc7fc059f4f302e593
                                                                                  • Instruction Fuzzy Hash: 87918371B04214FFD711EFA9DA86F9D77F4AB05304F5501BAF900AB2A2C678AE409B58
                                                                                  Function 0041831C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 0041832B
                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00418348
                                                                                  • GetWindowRect.USER32(?), ref: 00418364
                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00418372
                                                                                  • GetWindowLongA.USER32(?,000000F8), ref: 00418387
                                                                                  • ScreenToClient.USER32(00000000), ref: 00418390
                                                                                  • ScreenToClient.USER32(00000000,?), ref: 0041839B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                  • String ID: ,
                                                                                  • API String ID: 2266315723-3772416878
                                                                                  • Opcode ID: a02eea24357b971735d230bb7d4779386c915b93d77952ab766c1b8df95673e1
                                                                                  • Instruction ID: 2175d660801d36dc516acc566ebbdc6a0a275ff9a36a5191d9c768dd5587bda6
                                                                                  • Opcode Fuzzy Hash: a02eea24357b971735d230bb7d4779386c915b93d77952ab766c1b8df95673e1
                                                                                  • Instruction Fuzzy Hash: 8B111971505201AFDB00DF69C885F9B77E8AF48714F180A7EBD58DB286C738D900CB69
                                                                                  Function 00453978 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 00453987
                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0045398D
                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004539A6
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004539CD
                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004539D2
                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 004539E3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                  • String ID: SeShutdownPrivilege
                                                                                  • API String ID: 107509674-3733053543
                                                                                  • Opcode ID: fb9c40edafde0e39396708c3223b131742c2333adf1544f7cf093ab60178b3bd
                                                                                  • Instruction ID: ba95de1f919fb86d956bbfc46965498e3b7b47745acb77794947dc971716d99e
                                                                                  • Opcode Fuzzy Hash: fb9c40edafde0e39396708c3223b131742c2333adf1544f7cf093ab60178b3bd
                                                                                  • Instruction Fuzzy Hash: DBF068F1694302B9E610AE718C07F6B2188974478AF50092BBD45EA1C3D7FDDA0C4A7E
                                                                                  Function 0045A4FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045A505
                                                                                  • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045A515
                                                                                  • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045A525
                                                                                  • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,00477E2F,00000000,00477E58), ref: 0045A54A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CryptVersion
                                                                                  • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                  • API String ID: 1951258720-508647305
                                                                                  • Opcode ID: dc227989441d83936e649666439b3cc639ab8d756e21d5d58c0105270db5c94c
                                                                                  • Instruction ID: c721a2fd2455037b3106a82495dc64aa217f0e45604615640396be52aa14e824
                                                                                  • Opcode Fuzzy Hash: dc227989441d83936e649666439b3cc639ab8d756e21d5d58c0105270db5c94c
                                                                                  • Instruction Fuzzy Hash: 46F030F0501709EADB05DF76AC85B6236E5D7AC316F18C93BA404951BAE77C045CCE0D
                                                                                  Function 00454624 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoCreateInstance.OLE32(00490A3C,00000000,00000001,00490774,?,00000000,0045481A), ref: 00454660
                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                  • CoCreateInstance.OLE32(00490764,00000000,00000001,00490774,?,00000000,0045481A), ref: 00454684
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 004547DF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateInstanceString$AllocByteCharFreeMultiWide
                                                                                  • String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
                                                                                  • API String ID: 2125489766-615220198
                                                                                  • Opcode ID: 1ff2274b41b5fff1f05c262f12fd10495a65f751bb0ac0f6b43a2977615f8d09
                                                                                  • Instruction ID: ffd62f61cc6991af28f12abceade669c84836543173017e35bfd2355551696ac
                                                                                  • Opcode Fuzzy Hash: 1ff2274b41b5fff1f05c262f12fd10495a65f751bb0ac0f6b43a2977615f8d09
                                                                                  • Instruction Fuzzy Hash: 68511E75A00204AFDB50EFA9C885F9E77F8AF4970AF144066B904EB252D778DD88CB19
                                                                                  Function 0048F0A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000,0048F3BC,?,?,00000000,00491628), ref: 0048F0F7
                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0048F17A
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0048F1B6,?,00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000), ref: 0048F192
                                                                                  • FindClose.KERNEL32(000000FF,0048F1BD,0048F1B6,?,00000000,?,00000000,0048F1DE,?,?,00000000,00491628,?,0048F368,00000000,0048F3BC), ref: 0048F1B0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$AttributesCloseFirstNext
                                                                                  • String ID: isRS-$isRS-???.tmp
                                                                                  • API String ID: 134685335-3422211394
                                                                                  • Opcode ID: e6b155d1fc5a6fed76f3ff436aabfe78a099c9d3dd152136b718bcc6898442c5
                                                                                  • Instruction ID: 0995a0b52c99030cdacd69922d83117e593e9f56f2330464dc8cd1f01f413916
                                                                                  • Opcode Fuzzy Hash: e6b155d1fc5a6fed76f3ff436aabfe78a099c9d3dd152136b718bcc6898442c5
                                                                                  • Instruction Fuzzy Hash: F6317471900608ABDB10FF65CC85ACEB7BCDB49304F5088F7A808A32A1D7389E458F58
                                                                                  Function 004760AC Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000,?,004764B6,00000000,00000000), ref: 0047610D
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047621D,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000), ref: 004761F9
                                                                                  • FindClose.KERNEL32(000000FF,00476224,0047621D,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000), ref: 00476217
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00476372,?,00000000,?,00000000,?,004764B6,00000000), ref: 00476270
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$First$CloseNext
                                                                                  • String ID:
                                                                                  • API String ID: 2001080981-0
                                                                                  • Opcode ID: c2a30befad65cb5fce50af56d2711088d7b647a5dbfa7200fec2fd63f1518930
                                                                                  • Instruction ID: 8c9fb22c455a10fb5a36ca721a14443a04b07c4b30e1df5645117e00204b3789
                                                                                  • Opcode Fuzzy Hash: c2a30befad65cb5fce50af56d2711088d7b647a5dbfa7200fec2fd63f1518930
                                                                                  • Instruction Fuzzy Hash: A771307090064DAFCF11EFA5CC45ADFBBB9EF49304F5180AAE808A7291D7399A45CF58
                                                                                  Function 00455074 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235windownativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004550F1
                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455118
                                                                                  • SetForegroundWindow.USER32(?), ref: 00455129
                                                                                  • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004553F4,?,00000000,00455430), ref: 004553DF
                                                                                  Strings
                                                                                  • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00455269
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                  • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                  • API String ID: 2236967946-3182603685
                                                                                  • Opcode ID: 4b7d33720b6eb7d067316519216896749b14cf25987947e9aa13bbe8f6ed6c13
                                                                                  • Instruction ID: 55a69997a3f8f3e0e0b4dd554ff312d23ac1d546746a95e528c0755331bb9322
                                                                                  • Opcode Fuzzy Hash: 4b7d33720b6eb7d067316519216896749b14cf25987947e9aa13bbe8f6ed6c13
                                                                                  • Instruction Fuzzy Hash: AA919C34604A04EFD711CF55C965F6ABBE5EB89705F2180BAED04977A2C778AE04CA18
                                                                                  Function 004541A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004542D4), ref: 004541D0
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004541D6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                  • API String ID: 1646373207-3712701948
                                                                                  • Opcode ID: 6921d75a8c7e89856c53c54ce05328723cd5f2d2d5c9adca72d6fda43c64f4e5
                                                                                  • Instruction ID: 2d0bad47dcdbd0afe089202d066c8c13d69d372c820e44c9644451e9ab65bfc2
                                                                                  • Opcode Fuzzy Hash: 6921d75a8c7e89856c53c54ce05328723cd5f2d2d5c9adca72d6fda43c64f4e5
                                                                                  • Instruction Fuzzy Hash: DA315371A04259AFCF01DBE5D8829EEB7B8EF49304F5045A7F800F7692D63C5D498B68
                                                                                  Function 00417C68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 00417CA7
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CC5
                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417CFB
                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D22
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Placement$Iconic
                                                                                  • String ID: ,
                                                                                  • API String ID: 568898626-3772416878
                                                                                  • Opcode ID: c408806607909347ca89147f10def93184e476397b749817e92896a8f77c2243
                                                                                  • Instruction ID: 09dd2f6c86a6dd294e7079b4912c6a74c3ea6d73e0aaba55afa268ad374e44ee
                                                                                  • Opcode Fuzzy Hash: c408806607909347ca89147f10def93184e476397b749817e92896a8f77c2243
                                                                                  • Instruction Fuzzy Hash: F1213E71600208ABDF50EF69D8C0ADA77B8AF48314F15456AFE18DF346D778E844CBA8
                                                                                  Function 0045EB08 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0045ECC5), ref: 0045EB39
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EBC8
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0045EC7A,?,00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EC5A
                                                                                  • FindClose.KERNEL32(000000FF,0045EC81,0045EC7A,?,00000000,?,00000000,0045EC98,?,00000001,00000000,0045ECC5), ref: 0045EC74
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                  • String ID:
                                                                                  • API String ID: 4011626565-0
                                                                                  • Opcode ID: dc5338f80e1f029b4f8e8b91e557324ea873113412f12b2013edcdecd03d94c3
                                                                                  • Instruction ID: 3a4d7cb4941e96cfdd303e4f0826b6c285f1ddbae1b5db0b7c96a3fe66f8f59e
                                                                                  • Opcode Fuzzy Hash: dc5338f80e1f029b4f8e8b91e557324ea873113412f12b2013edcdecd03d94c3
                                                                                  • Instruction Fuzzy Hash: A941A770A046189FDB15EF66CC45ADEB7B8EB48306F4044BAF804E7342D63C9F488E58
                                                                                  Function 0045EF84 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0045F16B), ref: 0045EFF9
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F03F
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0045F118,?,00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F0F4
                                                                                  • FindClose.KERNEL32(000000FF,0045F11F,0045F118,?,00000000,?,00000000,0045F136,?,00000001,00000000,0045F16B), ref: 0045F112
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                  • String ID:
                                                                                  • API String ID: 4011626565-0
                                                                                  • Opcode ID: 541b62a81bf70b795dd067537b0e07b89d97958f03cda714e22a6959c94b31e8
                                                                                  • Instruction ID: 640d99d9abe4894cefdbd3fd6d16d781720cdc17d517c820ae452588c85b6f1a
                                                                                  • Opcode Fuzzy Hash: 541b62a81bf70b795dd067537b0e07b89d97958f03cda714e22a6959c94b31e8
                                                                                  • Instruction Fuzzy Hash: 4A415531A00A18DBCB10EF65DC859DEB7B9EB88316F4044BAF804E7342D6389E488E59
                                                                                  Function 0042E6BC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E6DE
                                                                                  • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E709
                                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E716
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E71E
                                                                                  • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045153B,00000000,0045155C), ref: 0042E724
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                  • String ID:
                                                                                  • API String ID: 1177325624-0
                                                                                  • Opcode ID: 61c0b65f11590cc0ec78ea52688af32a25736f0531a16fe2034826f1a78c5c91
                                                                                  • Instruction ID: cfcd0b13f67bde27cb287f5cb841aeaa4b6519b2e9d9e2871a7c89d990822bf0
                                                                                  • Opcode Fuzzy Hash: 61c0b65f11590cc0ec78ea52688af32a25736f0531a16fe2034826f1a78c5c91
                                                                                  • Instruction Fuzzy Hash: 7BF06D713917207AF620B17A6C86F7B418CC789B68F10863ABB14FF1C1D9A85D0555AD
                                                                                  Function 0047B83C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 0047B87A
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 0047B898
                                                                                  • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00491F50,0047B0C6,0047B0FA,00000000,0047B11A,?,?,00000001,00491F50), ref: 0047B8BA
                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00491F50,0047B0C6,0047B0FA,00000000,0047B11A,?,?,00000001,00491F50), ref: 0047B8CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$IconicLong
                                                                                  • String ID:
                                                                                  • API String ID: 2754861897-0
                                                                                  • Opcode ID: cfd0831661ad663eb917c2d02f63290d2463dede9815b3911d9f7cd8ec235724
                                                                                  • Instruction ID: baa5e676ec9c0d2e7e64be375973edd3553068a70d3116c84d2eaa9e006cecd4
                                                                                  • Opcode Fuzzy Hash: cfd0831661ad663eb917c2d02f63290d2463dede9815b3911d9f7cd8ec235724
                                                                                  • Instruction Fuzzy Hash: BE015E71A142056BD700B7B5DC45BAB339CAB15384F0A457BF8499B2AACB7DC880878D
                                                                                  Function 0045D584 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0045D658), ref: 0045D5DC
                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0045D638,?,00000000,?,00000000,0045D658), ref: 0045D618
                                                                                  • FindClose.KERNEL32(000000FF,0045D63F,0045D638,?,00000000,?,00000000,0045D658), ref: 0045D632
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 3541575487-0
                                                                                  • Opcode ID: 33ee04b2700281fe0b41767445ae053f4dc073427bb892a62614f5783a70e92d
                                                                                  • Instruction ID: 0ce5ae1f025114c6719b1c3c65257df9a0366b5f2e6328d66f20572a18fa54c0
                                                                                  • Opcode Fuzzy Hash: 33ee04b2700281fe0b41767445ae053f4dc073427bb892a62614f5783a70e92d
                                                                                  • Instruction Fuzzy Hash: F321C9719046086ECB21DF658C41ACEBBACDF49305F5044B7AC08D3552D6389A498E19
                                                                                  Function 00424174 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 0042417C
                                                                                  • SetActiveWindow.USER32(?,?,?,00466F57), ref: 00424189
                                                                                    • Part of subcall function 004235E4: ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                                    • Part of subcall function 00423AAC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021625AC,004241A2,?,?,?,00466F57), ref: 00423AE7
                                                                                  • SetFocus.USER32(00000000,?,?,?,00466F57), ref: 004241B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ActiveFocusIconicShow
                                                                                  • String ID:
                                                                                  • API String ID: 649377781-0
                                                                                  • Opcode ID: 4848593e48c9536867d80b2cbd12ec124348ae37830da1729c68c7c691c271f4
                                                                                  • Instruction ID: 8d446daf7b35e5ea29ffeb076200aa1129eece2f63f635de5a25b7de358d0631
                                                                                  • Opcode Fuzzy Hash: 4848593e48c9536867d80b2cbd12ec124348ae37830da1729c68c7c691c271f4
                                                                                  • Instruction Fuzzy Hash: F7F0D0B170011097DB00AFA9D885A9633A4AF48305B55417BBD05DF35BC67CDC518768
                                                                                  Function 0045A5B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ArcFourCrypt._ISCRYPT(?,?,?,|~F,?,?,00467E7C,00000000), ref: 0045A5BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CryptFour
                                                                                  • String ID: |~F
                                                                                  • API String ID: 2153018856-2359949563
                                                                                  • Opcode ID: 92a169d92116aada996d5d9458f81dc8d29c8eefca20c406bde358f83e7ba105
                                                                                  • Instruction ID: 9692f02617442a2a376df0b4e6aabf7b2afe947750d0341fdcc82445fa3c8269
                                                                                  • Opcode Fuzzy Hash: 92a169d92116aada996d5d9458f81dc8d29c8eefca20c406bde358f83e7ba105
                                                                                  • Instruction Fuzzy Hash: 5BC09BF600420C7F65005795ECC9C77F75CE65C7647408526F604421119771AC104574
                                                                                  Function 00417C66 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 00417CA7
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CC5
                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417CFB
                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D22
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Placement$Iconic
                                                                                  • String ID:
                                                                                  • API String ID: 568898626-0
                                                                                  • Opcode ID: 69517a820a0449f535e3fa6ce91cf103914ff1e4dee6cbc5125b1950d8bbeb53
                                                                                  • Instruction ID: 11b7e4335ee3226caab8470cf3c5b054e8fbabdd68a735f62f1a536aeba2eeda
                                                                                  • Opcode Fuzzy Hash: 69517a820a0449f535e3fa6ce91cf103914ff1e4dee6cbc5125b1950d8bbeb53
                                                                                  • Instruction Fuzzy Hash: 0D01713130410867DB20EE69DCC1EE777A8AB54324F154566FE18CF242D634DC8087A8
                                                                                  Function 00417530 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CaptureIconic
                                                                                  • String ID:
                                                                                  • API String ID: 2277910766-0
                                                                                  • Opcode ID: 05d574ab02b87442be763abf1989c0deaf975667ca85f0561d4b8beadaa0a679
                                                                                  • Instruction ID: 3a8b8731f2edab5627af23f704938489c4dd11ab886107c36bcf2cff3c26aea9
                                                                                  • Opcode Fuzzy Hash: 05d574ab02b87442be763abf1989c0deaf975667ca85f0561d4b8beadaa0a679
                                                                                  • Instruction Fuzzy Hash: 05F0317170460167D720972AC885BAF67F69F88358B24483BE819CBB66EB78DCC5C258
                                                                                  Function 0042412C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 00424133
                                                                                    • Part of subcall function 00423A1C: EnumWindows.USER32(004239B4), ref: 00423A40
                                                                                    • Part of subcall function 00423A1C: GetWindow.USER32(?,00000003), ref: 00423A55
                                                                                    • Part of subcall function 00423A1C: GetWindowLongA.USER32(?,000000EC), ref: 00423A64
                                                                                    • Part of subcall function 00423A1C: SetWindowPos.USER32(00000000,004240F4,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424143,?,?,00423D0B), ref: 00423A9A
                                                                                  • SetActiveWindow.USER32(?,?,?,00423D0B,00000000,004240F4), ref: 00424147
                                                                                    • Part of subcall function 004235E4: ShowWindow.USER32(004105E8,00000009,?,00000000,0041ED3C,004238D2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BA4), ref: 004235FF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2671590913-0
                                                                                  • Opcode ID: 9d30028009ad4628a8d0e3aae638df8d6c1a37638e51480dd0e93e30da34da79
                                                                                  • Instruction ID: dcadf6d4c305d047648006eb2a28155750554a200776102dc19c63a76c85b6db
                                                                                  • Opcode Fuzzy Hash: 9d30028009ad4628a8d0e3aae638df8d6c1a37638e51480dd0e93e30da34da79
                                                                                  • Instruction Fuzzy Hash: BAE01AA030010087DB00AF69DCC8BA672A4BF48304F5501BABD4CCF25BD73DCC508728
                                                                                  Function 00412570 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0041276D), ref: 0041275B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: NtdllProc_Window
                                                                                  • String ID:
                                                                                  • API String ID: 4255912815-0
                                                                                  • Opcode ID: a5791c81ae37d8b5f1290d8fb0e90dd447bc881189c2c774a095a33dc1ebcefd
                                                                                  • Instruction ID: a8ddcdea9be836396915a3f7c0de0854b88ba77919e1187662e8d19f2bd72504
                                                                                  • Opcode Fuzzy Hash: a5791c81ae37d8b5f1290d8fb0e90dd447bc881189c2c774a095a33dc1ebcefd
                                                                                  • Instruction Fuzzy Hash: 52510431608646CFD714DB6AD681A9BF3E5FF94314B24827BD814C33A1DAB8ED91CB08
                                                                                  Function 004718F0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00471A3E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: NtdllProc_Window
                                                                                  • String ID:
                                                                                  • API String ID: 4255912815-0
                                                                                  • Opcode ID: c76eea88bd8d0a7d60ffcd26e22655cbfd5c436395c4190c1cca566d77c737cb
                                                                                  • Instruction ID: 029bc5b5541294e4e1144cafc668f1a80fadc228f1d49c9345c84ce6279c24df
                                                                                  • Opcode Fuzzy Hash: c76eea88bd8d0a7d60ffcd26e22655cbfd5c436395c4190c1cca566d77c737cb
                                                                                  • Instruction Fuzzy Hash: 5C4138B5604104EFCB10CF9DD6908AAB7F9EB48310B24C596E94CDB725D338EE42DB94
                                                                                  Function 0045A5C8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,00467BDA), ref: 0045A5CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CryptFour
                                                                                  • String ID:
                                                                                  • API String ID: 2153018856-0
                                                                                  • Opcode ID: 7567f3976229c45b6434f01aabe130da5a209489209cb06c09f49983fc845cf4
                                                                                  • Instruction ID: 527f91f744bbf07d4cbd4d34731dd7f836b123af709a081cc5745f589b9e42a5
                                                                                  • Opcode Fuzzy Hash: 7567f3976229c45b6434f01aabe130da5a209489209cb06c09f49983fc845cf4
                                                                                  • Instruction Fuzzy Hash: BFA002B4A803057AFD2057705D0EF36252C97D4F01F208865B211A91E887A46400852C
                                                                                  Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2601605193.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2601583678.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2601634794.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_10000000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                  • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                  • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                  • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                  Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2601605193.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2601583678.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2601634794.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_10000000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                  • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                  • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 00455E1C Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 237filesynchronizationprocessCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexA.KERNEL32(00490A74,00000001,00000000,00000000,00456151,?,?,?,00000001,?,0045636B,00000000,00456381,?,00000000,00491628), ref: 00455E69
                                                                                  • CreateFileMappingA.KERNEL32(000000FF,00490A74,00000004,00000000,00002018,00000000), ref: 00455EA1
                                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,00456127,?,00490A74,00000001,00000000,00000000,00456151,?,?,?), ref: 00455EC8
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00455FD5
                                                                                  • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,00456127,?,00490A74,00000001,00000000,00000000,00456151), ref: 00455F2D
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00455FEC
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456025
                                                                                  • GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456037
                                                                                  • UnmapViewOfFile.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456109
                                                                                  • CloseHandle.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456118
                                                                                  • CloseHandle.KERNEL32(00000000,0045612E,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456121
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                  • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$kcE
                                                                                  • API String ID: 4012871263-3188938376
                                                                                  • Opcode ID: a5720f22c16d908e3ec8c4e1d57512098e758ccac26df47d2de229fce525af2a
                                                                                  • Instruction ID: b7f9d8417b4f58181c1f599a9bc7e162deeb1a38a1606bc22e72a62ab4d83832
                                                                                  • Opcode Fuzzy Hash: a5720f22c16d908e3ec8c4e1d57512098e758ccac26df47d2de229fce525af2a
                                                                                  • Instruction Fuzzy Hash: 96918270E002199FDB10EBA9C841BAEB7B4EB08305F51856BF814EB393D7789948CF59
                                                                                  Function 0041F0B0 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32(?,00418F88,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                                  • SetErrorMode.KERNEL32(00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0DA
                                                                                  • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0E6
                                                                                  • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F88,00000000,?,?,?,00000001), ref: 0041F0F4
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F124
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F14D
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F162
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F177
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F18C
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1A1
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1B6
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1CB
                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1E0
                                                                                  • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1F5
                                                                                  • FreeLibrary.KERNEL32(00000001,?,00418F88,00000000,?,?,?,00000001), ref: 0041F207
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                  • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                  • API String ID: 2323315520-3614243559
                                                                                  • Opcode ID: 7f32d69dd917b873b538dcabe640766f1285c8d94d518e442152a31ca124f4c3
                                                                                  • Instruction ID: 7d0f0b1f9e98edf1a9ddda289dbf8071659bc8ae740419ad4f90ac4d37035942
                                                                                  • Opcode Fuzzy Hash: 7f32d69dd917b873b538dcabe640766f1285c8d94d518e442152a31ca124f4c3
                                                                                  • Instruction Fuzzy Hash: 92313EB5A40740EFDF10EBF1AC86A653694B728724B45193BB018DB1A2E77D484ACF1C
                                                                                  Function 0041C9A4 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,?,0041A8DC,?), ref: 0041C9D8
                                                                                  • 74284C40.GDI32(?,00000000,?,0041A8DC,?), ref: 0041C9E4
                                                                                  • 74286180.GDI32(0041A8DC,?,00000001,00000001,00000000,00000000,0041CBFA,?,?,00000000,?,0041A8DC,?), ref: 0041CA08
                                                                                  • 74284C00.GDI32(?,0041A8DC,?,00000000,0041CBFA,?,?,00000000,?,0041A8DC,?), ref: 0041CA18
                                                                                  • SelectObject.GDI32(0041CDD4,00000000), ref: 0041CA33
                                                                                  • FillRect.USER32(0041CDD4,?,?), ref: 0041CA6E
                                                                                  • SetTextColor.GDI32(0041CDD4,00000000), ref: 0041CA83
                                                                                  • SetBkColor.GDI32(0041CDD4,00000000), ref: 0041CA9A
                                                                                  • PatBlt.GDI32(0041CDD4,00000000,00000000,0041A8DC,?,00FF0062), ref: 0041CAB0
                                                                                  • 74284C40.GDI32(?,00000000,0041CBB3,?,0041CDD4,00000000,?,0041A8DC,?,00000000,0041CBFA,?,?,00000000,?,0041A8DC), ref: 0041CAC3
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041CAF4
                                                                                  • 74278830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3,?,0041CDD4,00000000,?,0041A8DC), ref: 0041CB0C
                                                                                  • 742722A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3,?,0041CDD4,00000000,?), ref: 0041CB15
                                                                                  • 74278830.GDI32(0041CDD4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3), ref: 0041CB24
                                                                                  • 742722A0.GDI32(0041CDD4,0041CDD4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBA2,?,?,00000000,0041CBB3), ref: 0041CB2D
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041CB46
                                                                                  • SetBkColor.GDI32(00000000,00000000), ref: 0041CB5D
                                                                                  • 74284D40.GDI32(0041CDD4,00000000,00000000,0041A8DC,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CBA2,?,?,00000000), ref: 0041CB79
                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041CB86
                                                                                  • DeleteDC.GDI32(00000000), ref: 0041CB9C
                                                                                    • Part of subcall function 00419FF0: GetSysColor.USER32(?), ref: 00419FFA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$74284$ObjectSelect$74272274278830Text$742774286180A570DeleteFillRect
                                                                                  • String ID:
                                                                                  • API String ID: 1476482780-0
                                                                                  • Opcode ID: d40a97faddc7b993abc919c2ebc3dd6a9d9f07d849d610cba1b11841826118dd
                                                                                  • Instruction ID: 9a9a9a3989e6a6ab41d325b43f14cf70747c0909c72bd90b67e4700795e11c83
                                                                                  • Opcode Fuzzy Hash: d40a97faddc7b993abc919c2ebc3dd6a9d9f07d849d610cba1b11841826118dd
                                                                                  • Instruction Fuzzy Hash: A0611D71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504F7281C67CA9418B68
                                                                                  Function 0048F3CC Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 248synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000,?,0048FA95,00000000,0048FA9F,?,00000000), ref: 0048F44F
                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000,?,0048FA95,00000000), ref: 0048F462
                                                                                  • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000,00000000), ref: 0048F472
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0048F493
                                                                                  • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048F755,?,?,00000000,?,00000000), ref: 0048F4A3
                                                                                    • Part of subcall function 0042D320: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3AE,?,?,00000000,?,?,0048EE8C,00000000,0048F028,?,?,00000005), ref: 0042D355
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                  • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                  • API String ID: 2000705611-3672972446
                                                                                  • Opcode ID: 39a111b07db34b5175f652819bd8f84d2d5bebaf96c4bf3d03785a6843c72432
                                                                                  • Instruction ID: 468110d2e5aeda5219102b72ac5d9567bb0ae356309b4361f59a0122e7866ca5
                                                                                  • Opcode Fuzzy Hash: 39a111b07db34b5175f652819bd8f84d2d5bebaf96c4bf3d03785a6843c72432
                                                                                  • Instruction Fuzzy Hash: EB81C830A04244AFEB11FFA5D856BAF77A4EB49304F914877F400AB391D67D9C0ACB59
                                                                                  Function 00459F68 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172libraryloadermemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32 ref: 00459F82
                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00459FA2
                                                                                  • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoA), ref: 00459FAF
                                                                                  • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoA), ref: 00459FBC
                                                                                  • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 00459FCA
                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A19E), ref: 0045A069
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A19E), ref: 0045A072
                                                                                  • LocalFree.KERNEL32(?,0045A14C), ref: 0045A13F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
                                                                                  • String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$W$advapi32.dll
                                                                                  • API String ID: 4088882585-3389539026
                                                                                  • Opcode ID: 40e20d996d154c7513127dc85f1ac4c3553213370ce6e3c638a8d12d669914d2
                                                                                  • Instruction ID: af1122037a66e019b3113c55f9ba6096c98a7e40202b91a649e670660f0a226b
                                                                                  • Opcode Fuzzy Hash: 40e20d996d154c7513127dc85f1ac4c3553213370ce6e3c638a8d12d669914d2
                                                                                  • Instruction Fuzzy Hash: 2551A4B1900608EFDB10DF99C845BAEB7F8EB48315F20816AF904F7281C6799D44CF69
                                                                                  Function 00457E38 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,004580D2,?,?,?,?,?,00000005,?,00000000,0048E932,?,00000000,0048E9CD), ref: 00457F84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                  • API String ID: 1452528299-1593206319
                                                                                  • Opcode ID: cd0a6aaac7450f162ec7ff96070dff22de42fbe93b92331851df833a165ee4a0
                                                                                  • Instruction ID: 45e7beb611f94a6fc0cb308bcce4372837f3afd3a78530d29a4e55fbb22beab3
                                                                                  • Opcode Fuzzy Hash: cd0a6aaac7450f162ec7ff96070dff22de42fbe93b92331851df833a165ee4a0
                                                                                  • Instruction Fuzzy Hash: AF61AF307046449BDB00EB6998827AE7BA59F48715F51846FFC01EB383CF7C9A49C799
                                                                                  Function 0041B344 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 74284C40.GDI32(00000000,?,00000000,?), ref: 0041B35B
                                                                                  • 74284C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B365
                                                                                  • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B377
                                                                                  • 74286180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B38E
                                                                                  • 7427A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39A
                                                                                  • 74284C00.GDI32(00000000,0000000B,?,00000000,0041B3F3,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C7
                                                                                  • 7427A480.USER32(00000000,00000000,0041B3FA,00000000,0041B3F3,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3ED
                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B408
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B417
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B443
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B451
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B45F
                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B468
                                                                                  • DeleteDC.GDI32(?), ref: 0041B471
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$Select$74284$7427Delete$74286180A480A570Stretch
                                                                                  • String ID:
                                                                                  • API String ID: 1630650915-0
                                                                                  • Opcode ID: b3ce41903ddd2cdbb4a4fbae55eff1dfdf8ec99947ec8254b5571ea20fbca025
                                                                                  • Instruction ID: 6bb5b4be79febef773d70843bd669dc511a3072a5871217d6b93a7ca38d26bba
                                                                                  • Opcode Fuzzy Hash: b3ce41903ddd2cdbb4a4fbae55eff1dfdf8ec99947ec8254b5571ea20fbca025
                                                                                  • Instruction Fuzzy Hash: 6341BF71E40609AFDF10DAE9D845FEFB7B8EB08704F104466F614FB281C77869408BA5
                                                                                  Function 0046C458 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046C5EB
                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046C6DE
                                                                                  • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046C6F4
                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046C719
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                  • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                  • API String ID: 971782779-3668018701
                                                                                  • Opcode ID: a46a7803b60f0676747b212d5b48bccf264f66f852694784030f79ee7f4777f0
                                                                                  • Instruction ID: c5d64125943c116330f26ea2af306301a80754ec3866ea2c0047d38e0dd2641f
                                                                                  • Opcode Fuzzy Hash: a46a7803b60f0676747b212d5b48bccf264f66f852694784030f79ee7f4777f0
                                                                                  • Instruction Fuzzy Hash: DAD12074A00249AFDB01EF99D881BEDBBF5AF08314F14502BF840B7392D678AD45CB69
                                                                                  Function 00452D2C Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,?,00000000,?,00000000,00452FC5,?,0045829A,00000003,00000000,00000000,00452FFC), ref: 00452E45
                                                                                    • Part of subcall function 0042E650: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                                  • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,00000000,?,00000004,00000000,00452F0F,?,0045829A,00000000,00000000,?,00000000,?,00000000), ref: 00452EC9
                                                                                  • RegQueryValueExA.ADVAPI32(0045829A,00000000,00000000,00000000,?,00000004,00000000,00452F0F,?,0045829A,00000000,00000000,?,00000000,?,00000000), ref: 00452EF8
                                                                                  Strings
                                                                                  • RegOpenKeyEx, xrefs: 00452DC8
                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452D9C
                                                                                  • , xrefs: 00452DB6
                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452D63
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue$FormatMessageOpen
                                                                                  • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                  • API String ID: 2812809588-1577016196
                                                                                  • Opcode ID: 164f167b994ac05a2ab45126a4686da91eefd5f344db9a1027db2db68b31891c
                                                                                  • Instruction ID: b6e0c9aa2a7324dc16ce0eb777ef5f1f64662bbe41087482d690b0cee0de57e9
                                                                                  • Opcode Fuzzy Hash: 164f167b994ac05a2ab45126a4686da91eefd5f344db9a1027db2db68b31891c
                                                                                  • Instruction Fuzzy Hash: B8913371904208ABDB10DFA5D942BDEB7F8EB49305F10407BF901F7282D7B89E099B69
                                                                                  Function 004569B4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNEL32(?), ref: 004569EB
                                                                                  • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456A07
                                                                                  • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456A15
                                                                                  • GetExitCodeProcess.KERNEL32(?), ref: 00456A26
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A6D
                                                                                  • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A89
                                                                                  Strings
                                                                                  • Helper isn't responding; killing it., xrefs: 004569F7
                                                                                  • Helper process exited, but failed to get exit code., xrefs: 00456A5F
                                                                                  • Helper process exited with failure code: 0x%x, xrefs: 00456A53
                                                                                  • Stopping 64-bit helper process. (PID: %u), xrefs: 004569DD
                                                                                  • Helper process exited., xrefs: 00456A35
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                  • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                  • API String ID: 3355656108-1243109208
                                                                                  • Opcode ID: dfa879da1190b2b5009c71c39ad4c581381385d4e8d941786017907b195d6b18
                                                                                  • Instruction ID: c2c67eabc059fe092fc353f7c4ae25755d0186064ff77fbf3dc6ddb5515218cf
                                                                                  • Opcode Fuzzy Hash: dfa879da1190b2b5009c71c39ad4c581381385d4e8d941786017907b195d6b18
                                                                                  • Instruction Fuzzy Hash: 01217F70604B409AD720EB79C44575BBAD4AF09305F41C92FF88ADB283D67CEC48CB2A
                                                                                  Function 004529E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DBFC: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC28
                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452B07
                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452BB7,?,00000000,00452C7B), ref: 00452C43
                                                                                    • Part of subcall function 0042E650: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045186F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E66F
                                                                                  Strings
                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452A1F
                                                                                  • , xrefs: 00452A69
                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452A4F
                                                                                  • RegCreateKeyEx, xrefs: 00452A7B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFormatMessageQueryValue
                                                                                  • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                  • API String ID: 2481121983-1280779767
                                                                                  • Opcode ID: b4152d01e9ccb9eb4bc95eb9c39ab26bb747a47f82ef17865a926b6aa4eed433
                                                                                  • Instruction ID: 49df277322c3e2db58ac68d73aa7608868f9f3aba76e608e184ece725d7364fe
                                                                                  • Opcode Fuzzy Hash: b4152d01e9ccb9eb4bc95eb9c39ab26bb747a47f82ef17865a926b6aa4eed433
                                                                                  • Instruction Fuzzy Hash: BA81EF75A00209ABDB01DFD5C941BEEB7B9EF49305F50442BF901F7282D778AA058B69
                                                                                  Function 0048DFCC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00451EB8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FA7
                                                                                    • Part of subcall function 00451EB8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FB7
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048E049
                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0048E19D), ref: 0048E06A
                                                                                  • CreateWindowExA.USER32(00000000,STATIC,0048E1AC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0048E091
                                                                                  • SetWindowLongA.USER32(?,000000FC,0048D808), ref: 0048E0A4
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000,STATIC,0048E1AC), ref: 0048E0D4
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0048E148
                                                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000), ref: 0048E154
                                                                                    • Part of subcall function 00452208: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004522EF
                                                                                  • 74285CF0.USER32(?,0048E177,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048E170,?,?,000000FC,0048D808,00000000,STATIC), ref: 0048E16A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWindow$CloseCreateHandle$74285AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                  • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                  • API String ID: 3614729947-2312673372
                                                                                  • Opcode ID: dc2ba642abb86ea17383190dbdf621dce8a3c7c04dc03325410c7583d4026f4c
                                                                                  • Instruction ID: 807ddb41360c8efece4b1568f7706e44eaacfe1c0b7f64554d9e502e80a4ee61
                                                                                  • Opcode Fuzzy Hash: dc2ba642abb86ea17383190dbdf621dce8a3c7c04dc03325410c7583d4026f4c
                                                                                  • Instruction Fuzzy Hash: E4413E70A40208AEDB01FBA6DD46F9E77B8EB09704F50497AF510F72D1D6799A008BA8
                                                                                  Function 0042EA48 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetActiveWindow.USER32 ref: 0042EA54
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA68
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EA75
                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EA82
                                                                                  • GetWindowRect.USER32(?,00000000), ref: 0042EACE
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB0C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                  • API String ID: 2610873146-3407710046
                                                                                  • Opcode ID: 8242dbb534a797f2e20caac98c5d5e9c56e387a0feba33b4bb569f2e28a29b6e
                                                                                  • Instruction ID: 46d8cee8fd820ad79b722f42caeb789437fd50e402c398a58b8d459d0228c479
                                                                                  • Opcode Fuzzy Hash: 8242dbb534a797f2e20caac98c5d5e9c56e387a0feba33b4bb569f2e28a29b6e
                                                                                  • Instruction Fuzzy Hash: 6421F2717006246BD710DA69DC81F3B36D8EB84720F09452AF941DB386EA79EC008B99
                                                                                  Function 0045D824 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetActiveWindow.USER32 ref: 0045D830
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045D844
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045D851
                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045D85E
                                                                                  • GetWindowRect.USER32(?,00000000), ref: 0045D8AA
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045D8E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                  • API String ID: 2610873146-3407710046
                                                                                  • Opcode ID: d62e44f587709394466ea37500aaa1b5e2f432790840747db7898da7f77e3b37
                                                                                  • Instruction ID: 23bfedf7228fbea826d1c83b7972dd770d1dbaeaf2fc29a59ee8661fa47205f9
                                                                                  • Opcode Fuzzy Hash: d62e44f587709394466ea37500aaa1b5e2f432790840747db7898da7f77e3b37
                                                                                  • Instruction Fuzzy Hash: 59218075A016046BD720AA68CC81F3B32D9EF94B11F09453AFD44DB396DA78DC048B99
                                                                                  Function 00456B8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00456D6B,?,00000000,00456DCE,?,?,02163858,00000000), ref: 00456BE9
                                                                                  • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02163858,?,00000000,00456D00,?,00000000,00000001,00000000,00000000,00000000,00456D6B), ref: 00456C46
                                                                                  • GetLastError.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02163858,?,00000000,00456D00,?,00000000,00000001,00000000,00000000,00000000,00456D6B), ref: 00456C53
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00456C9F
                                                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00456CD9,?,-00000020,0000000C,-00002034,00000014,02163858,?,00000000,00456D00,?,00000000), ref: 00456CC5
                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000001,00456CD9,?,-00000020,0000000C,-00002034,00000014,02163858,?,00000000,00456D00,?,00000000), ref: 00456CCC
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                  • String ID: CreateEvent$TransactNamedPipe
                                                                                  • API String ID: 2182916169-3012584893
                                                                                  • Opcode ID: cb038afbe5e32e3b67a98964ed7a4267f362b69b3ea10aabd8e2ebb65ae4cf67
                                                                                  • Instruction ID: 0b2cd44f18195d098fe370dcd7d1a83bd0e3d21fbcb88504b42bcbfe0ef11783
                                                                                  • Opcode Fuzzy Hash: cb038afbe5e32e3b67a98964ed7a4267f362b69b3ea10aabd8e2ebb65ae4cf67
                                                                                  • Instruction Fuzzy Hash: 6D41C070A00608EFDB15DF95C981F9EB7F9FB08314F5144AAF904E7692D6789E44CB28
                                                                                  Function 004549AC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454B11,?,?,00000031,?), ref: 004549D4
                                                                                  • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004549DA
                                                                                  • LoadTypeLib.OLEAUT32(00000000,?), ref: 00454A27
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                  • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                  • API String ID: 1914119943-2711329623
                                                                                  • Opcode ID: 39aff9fd92ac34b112b7b81d9150acff83df3ca0beae7ab2c7a1e7b9ae44b984
                                                                                  • Instruction ID: 2fecba792ef182a2466fe38d60bbc26a4af48833be0fcc9fef50ef1eb8159f68
                                                                                  • Opcode Fuzzy Hash: 39aff9fd92ac34b112b7b81d9150acff83df3ca0beae7ab2c7a1e7b9ae44b984
                                                                                  • Instruction Fuzzy Hash: DB31B471A40604AFDB51EFAACC11E5BB7FDEBC87097118466B800DB752DA38DD84C728
                                                                                  Function 0042E254 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E359,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,00479638), ref: 0042E27D
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E283
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E359,?,?,00000001,00000000,?,?,00000001), ref: 0042E2D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                  • API String ID: 4190037839-2401316094
                                                                                  • Opcode ID: aee9e43cdfe22e88d61aa29f3bcb7d8aea1058badab76d7c86637c7a275ef629
                                                                                  • Instruction ID: 1e41f63d3423b93723c579b73569ceba8d094b42876aecad42777c776dcbffe9
                                                                                  • Opcode Fuzzy Hash: aee9e43cdfe22e88d61aa29f3bcb7d8aea1058badab76d7c86637c7a275ef629
                                                                                  • Instruction Fuzzy Hash: 3B213230B00219EBDB10EAA7EC55A9F77A8EB44705F904477A900E7281D7789A058B5C
                                                                                  Function 00416D18 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RectVisible.GDI32(?,?), ref: 00416DAB
                                                                                  • SaveDC.GDI32(?), ref: 00416DBF
                                                                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DE2
                                                                                  • RestoreDC.GDI32(?,?), ref: 00416DFD
                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416E7D
                                                                                  • FrameRect.USER32(?,?,?), ref: 00416EB0
                                                                                  • DeleteObject.GDI32(?), ref: 00416EBA
                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416ECA
                                                                                  • FrameRect.USER32(?,?,?), ref: 00416EFD
                                                                                  • DeleteObject.GDI32(?), ref: 00416F07
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                  • String ID:
                                                                                  • API String ID: 375863564-0
                                                                                  • Opcode ID: 2b4479f134976cc427de4a13722bf7e05ec00857587bc7c9256bd6560d63d54d
                                                                                  • Instruction ID: 850ea02e8a9b4343556f2283201a74973d1cf55a7a3e638d9b74352119c9255d
                                                                                  • Opcode Fuzzy Hash: 2b4479f134976cc427de4a13722bf7e05ec00857587bc7c9256bd6560d63d54d
                                                                                  • Instruction Fuzzy Hash: 08513B712087456BDB40EF29C8C0B9B77E8AF48314F15466AFD48CB286C738EC81CB99
                                                                                  Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                  • String ID:
                                                                                  • API String ID: 1694776339-0
                                                                                  • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                  • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                  • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                  • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                  Function 00422180 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMenu.USER32(00000000,00000000), ref: 004221CB
                                                                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221E9
                                                                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221F6
                                                                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422203
                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422210
                                                                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042221D
                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042222A
                                                                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422237
                                                                                  • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00422255
                                                                                  • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422271
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Delete$EnableItem$System
                                                                                  • String ID:
                                                                                  • API String ID: 3985193851-0
                                                                                  • Opcode ID: b84500d1bdba627e370d31b1c166d2edc07ccc1ebccfb2c409e249d02a917cae
                                                                                  • Instruction ID: e278505ce02f2bd95d30b17d407da9a210706e4ddb61a2b096333af5bd30a6f5
                                                                                  • Opcode Fuzzy Hash: b84500d1bdba627e370d31b1c166d2edc07ccc1ebccfb2c409e249d02a917cae
                                                                                  • Instruction Fuzzy Hash: E4212170344744BAEB25DB25DD8BFAB7AD89B08748F0440A5B6447F2D3C6FDAE408698
                                                                                  Function 00479B40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FreeLibrary.KERNEL32(10000000), ref: 00479CE8
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00479CFC
                                                                                  • SendNotifyMessageA.USER32(0001043E,00000496,00002710,00000000), ref: 00479D61
                                                                                  Strings
                                                                                  • Not restarting Windows because Setup is being run from the debugger., xrefs: 00479D1D
                                                                                  • DeinitializeSetup, xrefs: 00479BF9
                                                                                  • GetCustomSetupExitCode, xrefs: 00479B9D
                                                                                  • Restarting Windows., xrefs: 00479D3C
                                                                                  • Deinitializing Setup., xrefs: 00479B5E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary$MessageNotifySend
                                                                                  • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                  • API String ID: 3817813901-1884538726
                                                                                  • Opcode ID: 897b73cd04819112cf29f50d09c30dd7b4bb71156158dbfbf11bdf57731a2d04
                                                                                  • Instruction ID: 95ec44850c5e7f1ab6df3571a5df09eca163523de8b7c581315cb161254197e5
                                                                                  • Opcode Fuzzy Hash: 897b73cd04819112cf29f50d09c30dd7b4bb71156158dbfbf11bdf57731a2d04
                                                                                  • Instruction Fuzzy Hash: 0051B534604200AFDB25DB75EA95B9A77E4FB19314F5084BBF808C73A1DB789C44CB59
                                                                                  Function 0045C55C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042CA94: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBC2,00000000,0042CBE8,?,00000001,?,?,00000000,?,0042CC3A), ref: 0042CABC
                                                                                  • SHGetMalloc.SHELL32(?), ref: 0045C597
                                                                                  • GetActiveWindow.USER32 ref: 0045C5FB
                                                                                  • CoInitialize.OLE32(00000000), ref: 0045C60F
                                                                                  • SHBrowseForFolder.SHELL32(?), ref: 0045C626
                                                                                  • CoUninitialize.OLE32(0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C63B
                                                                                  • SetActiveWindow.USER32(?,0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C651
                                                                                  • SetActiveWindow.USER32(?,?,0045C667,00000000,?,?,?,?,?,00000000,0045C6EB), ref: 0045C65A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ActiveWindow$BrowseCharFolderInitializeMallocPrevUninitialize
                                                                                  • String ID: A
                                                                                  • API String ID: 1128911707-3554254475
                                                                                  • Opcode ID: 6aca2d0e9cbc55331362c9f13a24fd18a5e61b9df52d4a6d90436bd4c2941ac8
                                                                                  • Instruction ID: 312b670ea087426fa006e960c8e3cb0182f30903be6f12de62926b3b68f49f37
                                                                                  • Opcode Fuzzy Hash: 6aca2d0e9cbc55331362c9f13a24fd18a5e61b9df52d4a6d90436bd4c2941ac8
                                                                                  • Instruction Fuzzy Hash: 68311270E00318AFDB00DFA6D886A9EBBF8EB09304F51447AF804E7252D6785A44CF59
                                                                                  Function 0045A628 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045A631
                                                                                  • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045A641
                                                                                  • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045A651
                                                                                  • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045A661
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                  • API String ID: 190572456-3516654456
                                                                                  • Opcode ID: bed0c592b19218b302000e891b177588dd892a96f65053ab4286eee6aeb3e139
                                                                                  • Instruction ID: cf36547cdd1c597f200aca6fe346d891c24020020a55e697658b05d70f56f1d0
                                                                                  • Opcode Fuzzy Hash: bed0c592b19218b302000e891b177588dd892a96f65053ab4286eee6aeb3e139
                                                                                  • Instruction Fuzzy Hash: 8B018FB052030ADEDB04DF32ACC03263695A364386F18C23B9C80552BBD77C045ECE0E
                                                                                  Function 0041A874 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041A951
                                                                                  • 74284D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A98B
                                                                                  • SetBkColor.GDI32(?,?), ref: 0041A9A0
                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9EA
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041A9F5
                                                                                  • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA05
                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA44
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AA4E
                                                                                  • SetBkColor.GDI32(00000000,?), ref: 0041AA5B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$StretchText$74284
                                                                                  • String ID:
                                                                                  • API String ID: 2569610349-0
                                                                                  • Opcode ID: 82eb3282d304b9e306b0c803916e6de8b4d2ecf1cc2efc0374c785e0eba7f8b3
                                                                                  • Instruction ID: b784b2327dbbb77ad5e653bb99e7467a243cec1ed61aaa3db7693e9945dbbb21
                                                                                  • Opcode Fuzzy Hash: 82eb3282d304b9e306b0c803916e6de8b4d2ecf1cc2efc0374c785e0eba7f8b3
                                                                                  • Instruction Fuzzy Hash: 8661D5B5A00505EFCB40EFA9D985E9ABBF8AF08314B10856AF518EB251C734ED41CF68
                                                                                  Function 00455B98 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00455D4C,?, /s ",?,regsvr32.exe",?,00455D4C), ref: 00455CBE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseDirectoryHandleSystem
                                                                                  • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                  • API String ID: 2051275411-1862435767
                                                                                  • Opcode ID: d409af3b62711a3076e859fe1edcb2bd93033f39dd478d898bc79be760b67c24
                                                                                  • Instruction ID: f93e42548513463b2b05d38e92dfbbb413aec739801f17940c66c8f0f6709406
                                                                                  • Opcode Fuzzy Hash: d409af3b62711a3076e859fe1edcb2bd93033f39dd478d898bc79be760b67c24
                                                                                  • Instruction Fuzzy Hash: 34412871A007486BDB01EFD5C895BDDBBF9AF48305F50807BA904BB292D7789A0D8B58
                                                                                  Function 0044C7B8 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0044C7E9
                                                                                  • GetSysColor.USER32(00000014), ref: 0044C7F0
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044C808
                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C831
                                                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044C83B
                                                                                  • GetSysColor.USER32(00000010), ref: 0044C842
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044C85A
                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C883
                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C8AE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Text$Color$Draw$OffsetRect
                                                                                  • String ID:
                                                                                  • API String ID: 1005981011-0
                                                                                  • Opcode ID: 30f91df4a71e18c366fa4ac339b52cd210d811b7e5c4f372080e0ad89e8fee32
                                                                                  • Instruction ID: 2a2be0ad8b0691fe77ec280b759a10f9387e8c7ee22b4e90c7d38d23f746949b
                                                                                  • Opcode Fuzzy Hash: 30f91df4a71e18c366fa4ac339b52cd210d811b7e5c4f372080e0ad89e8fee32
                                                                                  • Instruction Fuzzy Hash: CE21CFB42015047FC710FB6ACD8AE9B7BDCDF19319B00857AB914EB3A3C678DE444669
                                                                                  Function 0044C8BC Relevance: 12.5, APIs: 8, Instructions: 470windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000129,00000000,00000000), ref: 0044C93C
                                                                                  • LineDDA.GDI32(?,?,?,?,Function_0004C1D0,?), ref: 0044CACA
                                                                                  • LineDDA.GDI32(?,?,?,?,Function_0004C1D0,?), ref: 0044CAEE
                                                                                  • DrawFrameControl.USER32(00000000,?,00000004,00000000), ref: 0044CBFD
                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044CD01
                                                                                  • OffsetRect.USER32(00000000,00000000,?), ref: 0044CDA5
                                                                                  • InflateRect.USER32(?,00000001,00000001), ref: 0044CE75
                                                                                  • SetTextColor.GDI32(00000000,?), ref: 0044CE90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ColorLineRectText$ControlDrawFrameInflateMessageOffsetSend
                                                                                  • String ID:
                                                                                  • API String ID: 1642711622-0
                                                                                  • Opcode ID: c162d4d4ab7fe6bdd2b280a660b7ccb70823943b853891b9da56872a7fedd913
                                                                                  • Instruction ID: aab2c2958e40563fd7b5a3b28404d6d88fc7052fb7213ce4f794ec1ca1f8e607
                                                                                  • Opcode Fuzzy Hash: c162d4d4ab7fe6bdd2b280a660b7ccb70823943b853891b9da56872a7fedd913
                                                                                  • Instruction Fuzzy Hash: F8122D75A01148EFEB51CBA8C9C5BEEBBF1AF08304F1841A6E544E7352D738AE41DB58
                                                                                  Function 0048D854 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0044FAC4: SetEndOfFile.KERNEL32(?,?,00459845,00000000,004599E8,?,00000000,00000002,00000002), ref: 0044FACB
                                                                                    • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0048D8E5
                                                                                  • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 0048D8F9
                                                                                  • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0048D913
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D91F
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D925
                                                                                  • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048D938
                                                                                  Strings
                                                                                  • Deleting Uninstall data files., xrefs: 0048D85B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                  • String ID: Deleting Uninstall data files.
                                                                                  • API String ID: 1570157960-2568741658
                                                                                  • Opcode ID: 9dfa323906793c6f841641a99689aa4eafbf58b23862c522f440eb2f98913c12
                                                                                  • Instruction ID: 209b9e5c2b4f5f57db00f4d5fd6a7dbc7a9b1f0f3c600cc8da1eae757a0435bc
                                                                                  • Opcode Fuzzy Hash: 9dfa323906793c6f841641a99689aa4eafbf58b23862c522f440eb2f98913c12
                                                                                  • Instruction Fuzzy Hash: 9821BF70604201BAE724BB76ED82F2B339CEB18718F10083BF915962E2D6BC9C04CB1C
                                                                                  Function 00469DD8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00469ED5,?,?,?,?,00000000), ref: 00469E3F
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00469ED5), ref: 00469E56
                                                                                  • AddFontResourceA.GDI32(00000000), ref: 00469E73
                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00469E87
                                                                                  Strings
                                                                                  • AddFontResource, xrefs: 00469E91
                                                                                  • Failed to open Fonts registry key., xrefs: 00469E5D
                                                                                  • Failed to set value in Fonts registry key., xrefs: 00469E48
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                  • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                  • API String ID: 955540645-649663873
                                                                                  • Opcode ID: d9cbe27344ecb8c4aa0202ea79dcf8b7b8f313dac1d3cddb77c4eab689a5c6c9
                                                                                  • Instruction ID: bc8230094c51973cdf8ecbb45d8da8cae8d52365a8c04d6daf9ccbb674275915
                                                                                  • Opcode Fuzzy Hash: d9cbe27344ecb8c4aa0202ea79dcf8b7b8f313dac1d3cddb77c4eab689a5c6c9
                                                                                  • Instruction Fuzzy Hash: 2521B2757402047BEB10EA668D42F6E67ADDB05B04F144037F900EB3C2EABDDE06866E
                                                                                  Function 0045DC64 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004163A8: GetClassInfoA.USER32(00400000,?,?), ref: 00416417
                                                                                    • Part of subcall function 004163A8: UnregisterClassA.USER32(?,00400000), ref: 00416443
                                                                                    • Part of subcall function 004163A8: RegisterClassA.USER32(?), ref: 00416466
                                                                                  • GetVersion.KERNEL32 ref: 0045DC94
                                                                                  • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045DCD2
                                                                                  • SHGetFileInfo.SHELL32(0045DD70,00000000,?,00000160,00004011), ref: 0045DCEF
                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0045DD0D
                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,0045DD70,00000000,?,00000160,00004011), ref: 0045DD13
                                                                                  • SetCursor.USER32(?,0045DD53,00007F02,0045DD70,00000000,?,00000160,00004011), ref: 0045DD46
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                  • String ID: Explorer
                                                                                  • API String ID: 2594429197-512347832
                                                                                  • Opcode ID: a0491db32c50bbc4a8ba45f86c18b660a4711bab698f70a02f8a1103d4161a36
                                                                                  • Instruction ID: 08bbecee416fa481ca426edc0ff8b3b93b80f74de7e483e45fe9000b0b83ebe9
                                                                                  • Opcode Fuzzy Hash: a0491db32c50bbc4a8ba45f86c18b660a4711bab698f70a02f8a1103d4161a36
                                                                                  • Instruction Fuzzy Hash: 2A210D70B403046BD721BF759C47BAA76A89F04709F51407FBE05EA2D3D9BD4C09969C
                                                                                  Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.KERNEL32(00491420,00000000,00401B68), ref: 00401ABD
                                                                                  • LocalFree.KERNEL32(007E46B8,00000000,00401B68), ref: 00401ACF
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,007E46B8,00000000,00401B68), ref: 00401AEE
                                                                                  • LocalFree.KERNEL32(007E56B8,?,00000000,00008000,007E46B8,00000000,00401B68), ref: 00401B2D
                                                                                  • RtlLeaveCriticalSection.KERNEL32(00491420,00401B6F), ref: 00401B58
                                                                                  • RtlDeleteCriticalSection.KERNEL32(00491420,00401B6F), ref: 00401B62
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                  • String ID: \~
                                                                                  • API String ID: 3782394904-1166203647
                                                                                  • Opcode ID: 09ee6c1da519e67de8fc9665d92e8d709827becec73d0652864b25fce379c00b
                                                                                  • Instruction ID: 6c3561cac3bf455cb8eb58d504ab1afe898de9fb7a31b5eede02c33905ddd1bf
                                                                                  • Opcode Fuzzy Hash: 09ee6c1da519e67de8fc9665d92e8d709827becec73d0652864b25fce379c00b
                                                                                  • Instruction Fuzzy Hash: E111E330B003425AEB15AB759C82F263BE8976974CF44047BF40067AF1D77C9880C76E
                                                                                  Function 004575DC Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,0045775E,?,00000000,?,00000000,?,00000005,?,00000000,0048E932,?,00000000,0048E9CD), ref: 004576A2
                                                                                    • Part of subcall function 004528AC: FindClose.KERNEL32(000000FF,004529A2), ref: 00452991
                                                                                  Strings
                                                                                  • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045767C
                                                                                  • Failed to strip read-only attribute., xrefs: 00457670
                                                                                  • Failed to delete directory (%d). Will retry later., xrefs: 004576BB
                                                                                  • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00457717
                                                                                  • Deleting directory: %s, xrefs: 0045762B
                                                                                  • Stripped read-only attribute., xrefs: 00457664
                                                                                  • Failed to delete directory (%d)., xrefs: 00457738
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseErrorFindLast
                                                                                  • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                  • API String ID: 754982922-1448842058
                                                                                  • Opcode ID: 9f29d42d182642dc7537c337c93dd12fef561ecf4bb696dfeb710090d7bd2c0d
                                                                                  • Instruction ID: 4f4014777126b0eb11497ab7f6fbe238aea69b0e2e44dabb33df59121be7d4f6
                                                                                  • Opcode Fuzzy Hash: 9f29d42d182642dc7537c337c93dd12fef561ecf4bb696dfeb710090d7bd2c0d
                                                                                  • Instruction Fuzzy Hash: CD41D630A082089ACB10EB6DA8017AF76EA5F4D316F50857BAC01D7393DB7C990DC75E
                                                                                  Function 00422DE8 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCapture.USER32 ref: 00422E3C
                                                                                  • GetCapture.USER32 ref: 00422E4B
                                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E51
                                                                                  • ReleaseCapture.USER32 ref: 00422E56
                                                                                  • GetActiveWindow.USER32 ref: 00422E65
                                                                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EE4
                                                                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F48
                                                                                  • GetActiveWindow.USER32 ref: 00422F57
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                  • String ID:
                                                                                  • API String ID: 862346643-0
                                                                                  • Opcode ID: 8be18079083153025e28215423c98a3a5ee7483c780cd63c3c6e06037c3e0d94
                                                                                  • Instruction ID: e78f67eba533dd0e8fe9397a7718bd7d4daaa515340af2ace1e4958662264751
                                                                                  • Opcode Fuzzy Hash: 8be18079083153025e28215423c98a3a5ee7483c780cd63c3c6e06037c3e0d94
                                                                                  • Instruction Fuzzy Hash: C4415370B00254AFDB11EB69DA42B9D77F1EF08304F5540BAF454AB2A2DBB89E40DB18
                                                                                  Function 00429418 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000), ref: 00429422
                                                                                  • GetTextMetricsA.GDI32(00000000), ref: 0042942B
                                                                                    • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0042943A
                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 00429447
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0042944E
                                                                                  • 7427A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00429456
                                                                                  • GetSystemMetrics.USER32(00000006), ref: 0042947B
                                                                                  • GetSystemMetrics.USER32(00000006), ref: 00429495
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Metrics$7427ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                  • String ID:
                                                                                  • API String ID: 3862758150-0
                                                                                  • Opcode ID: 612241d76cd041ebb592b6140f8317f7295879649094e6a1feb7cdb4f14421fa
                                                                                  • Instruction ID: 007c710f23a5f67dcdc67497f4127ea26f0e4cdf06179a8ebee1bfcd4cab9f19
                                                                                  • Opcode Fuzzy Hash: 612241d76cd041ebb592b6140f8317f7295879649094e6a1feb7cdb4f14421fa
                                                                                  • Instruction Fuzzy Hash: 7F01E1917087102AF710B67A9CC2F6B56C8DB84368F84053BFB469A3D3D56C8C41822A
                                                                                  Function 0041DDBC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,?,00418FF1,0048FB31), ref: 0041DDBF
                                                                                  • 74284620.GDI32(00000000,0000005A,00000000,?,00418FF1,0048FB31), ref: 0041DDC9
                                                                                  • 7427A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FF1,0048FB31), ref: 0041DDD6
                                                                                  • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDE5
                                                                                  • GetStockObject.GDI32(00000007), ref: 0041DDF3
                                                                                  • GetStockObject.GDI32(00000005), ref: 0041DDFF
                                                                                  • GetStockObject.GDI32(0000000D), ref: 0041DE0B
                                                                                  • LoadIconA.USER32(00000000,00007F00), ref: 0041DE1C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectStock$7427$74284620A480A570IconLoad
                                                                                  • String ID:
                                                                                  • API String ID: 294535903-0
                                                                                  • Opcode ID: 5cd52409f1a42ef3670bb024d84eb5039e8c3b1a06308a7c5a53611ef2da6f84
                                                                                  • Instruction ID: a1397b4ca46e960c86eb9c90a61334d197680284bcb8e78615aa9deb819e0443
                                                                                  • Opcode Fuzzy Hash: 5cd52409f1a42ef3670bb024d84eb5039e8c3b1a06308a7c5a53611ef2da6f84
                                                                                  • Instruction Fuzzy Hash: 00114270A453425FE740FF795D92BA63694DB24749F04803FF6049F2E2DAB90C448B5E
                                                                                  Function 0045E074 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0045E178
                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045E20D), ref: 0045E17E
                                                                                  • SetCursor.USER32(?,0045E1F5,00007F02,00000000,0045E20D), ref: 0045E1E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$Load
                                                                                  • String ID: $ $Internal error: Item already expanding
                                                                                  • API String ID: 1675784387-1948079669
                                                                                  • Opcode ID: 66374a5f3efa02b7eac811ea75e7dcf2f4ac446ef057e9007c28aec30eb8c590
                                                                                  • Instruction ID: c82b97671206bee37f0607cceb23effa6a4e75b439f128a9d47cc80576d1f72f
                                                                                  • Opcode Fuzzy Hash: 66374a5f3efa02b7eac811ea75e7dcf2f4ac446ef057e9007c28aec30eb8c590
                                                                                  • Instruction Fuzzy Hash: 0BB1BF30600644DFDB18DF6AC585B9EBBF1AF05305F1484AAEC45AB393C778AE48CB58
                                                                                  Function 00452208 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004522EF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfileStringWrite
                                                                                  • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                  • API String ID: 390214022-3304407042
                                                                                  • Opcode ID: 57e511164ddf90741d7758b7c9a13bb3c82f412bb4ef4ea546e5bbdc2eaeadbe
                                                                                  • Instruction ID: b880a8d602179d00a68da039191d74026ef7de6d8b5abd19fd3f1fbe25940c28
                                                                                  • Opcode Fuzzy Hash: 57e511164ddf90741d7758b7c9a13bb3c82f412bb4ef4ea546e5bbdc2eaeadbe
                                                                                  • Instruction Fuzzy Hash: 7B910030E00209ABDB11EFA5D951BDEB7F5AB49305F508477E800B7292D7BCAE09CB59
                                                                                  Function 004086B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,004088F8,?,?,?,?,00000000,00000000,00000000,?,004098FF,00000000,00409912), ref: 004086CA
                                                                                    • Part of subcall function 004084F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004914C0,00000001,?,004085C3,?,00000000,004086A2), ref: 00408516
                                                                                    • Part of subcall function 00408544: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408746,?,?,?,00000000,004088F8), ref: 00408557
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                  • API String ID: 1044490935-665933166
                                                                                  • Opcode ID: 6398917eba9f35c605718211014c2823ca990c2dd622e63239acadafc300ca0e
                                                                                  • Instruction ID: 703e3be491a9815772bafdc7c7c0f7b6202b522d2c3e8d150354549465e5c921
                                                                                  • Opcode Fuzzy Hash: 6398917eba9f35c605718211014c2823ca990c2dd622e63239acadafc300ca0e
                                                                                  • Instruction Fuzzy Hash: 4C512E34B002496BDB01FBA98941A9E6769DB88308F50D47FB151BB3C7DE3CDA05971D
                                                                                  Function 0041168C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32(00000000,00411891), ref: 00411724
                                                                                  • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117E2
                                                                                    • Part of subcall function 00411A44: CreatePopupMenu.USER32 ref: 00411A5E
                                                                                  • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0041186E
                                                                                    • Part of subcall function 00411A44: CreateMenu.USER32 ref: 00411A68
                                                                                  • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411855
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                  • String ID: ,$?
                                                                                  • API String ID: 2359071979-2308483597
                                                                                  • Opcode ID: e5589ed52d94a77d0cb5df33b8defa0bad6be3346ecc0a13e21e61dc1078d7ae
                                                                                  • Instruction ID: 4db3e36a1824f200769957cd3722fd4d3721cc561e15579b2661ccf42d753284
                                                                                  • Opcode Fuzzy Hash: e5589ed52d94a77d0cb5df33b8defa0bad6be3346ecc0a13e21e61dc1078d7ae
                                                                                  • Instruction Fuzzy Hash: 1851F374A00144ABDB10EF6ADC816EA7BF9AF09304B1585BBF944E73A2D738DD418B58
                                                                                  Function 0041BDFB Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BEC0
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BECF
                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF20
                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF2E
                                                                                  • DeleteObject.GDI32(?), ref: 0041BF37
                                                                                  • DeleteObject.GDI32(?), ref: 0041BF40
                                                                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF5D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                  • String ID:
                                                                                  • API String ID: 1030595962-0
                                                                                  • Opcode ID: baa1e2450b9de5372d0f55cbf5966268843ca39ceb3fdf4c807e45b67f8a2b96
                                                                                  • Instruction ID: 52ef36e9ff3e7ee1873761fb219a6cc292be1c227624e33a65ab7470414a0116
                                                                                  • Opcode Fuzzy Hash: baa1e2450b9de5372d0f55cbf5966268843ca39ceb3fdf4c807e45b67f8a2b96
                                                                                  • Instruction Fuzzy Hash: BE512475E00219AFCB14DFA9C8819EEB7F9EF48310B11856AF904E7391D738AD81CB64
                                                                                  Function 0041CE70 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE96
                                                                                  • 74284620.GDI32(00000000,00000026), ref: 0041CEB5
                                                                                  • 74278830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF1B
                                                                                  • 742722A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF2A
                                                                                  • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF94
                                                                                  • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFD2
                                                                                  • 74278830.GDI32(?,?,00000001,0041D004,00000000,00000026), ref: 0041CFF7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Stretch$74278830$74272274284620BitsMode
                                                                                  • String ID:
                                                                                  • API String ID: 3137235269-0
                                                                                  • Opcode ID: 9e2462167f5f006b5608fcda1c138d935c6fdca52f4aea3d1b3962bd622f2fd5
                                                                                  • Instruction ID: 8fe7590bed3a2b21df9441d61fef16a42200e798c73637f143c0dae3db67bcae
                                                                                  • Opcode Fuzzy Hash: 9e2462167f5f006b5608fcda1c138d935c6fdca52f4aea3d1b3962bd622f2fd5
                                                                                  • Instruction Fuzzy Hash: 0A513CB0600604AFDB14DFA8C985F9BBBE9EF08304F10859AB545DB292C779ED81CB58
                                                                                  Function 00454DBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,?,?), ref: 00454E0E
                                                                                    • Part of subcall function 00424214: GetWindowTextA.USER32(?,?,00000100), ref: 00424234
                                                                                    • Part of subcall function 0041EE3C: GetCurrentThreadId.KERNEL32 ref: 0041EE8B
                                                                                    • Part of subcall function 0041EE3C: 74285940.USER32(00000000,0041EDEC,00000000,00000000,0041EEA8,?,00000000,0041EEDF,?,0042E7D8,?,00000001), ref: 0041EE91
                                                                                    • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00454E75
                                                                                  • TranslateMessage.USER32(?), ref: 00454E93
                                                                                  • DispatchMessageA.USER32(?), ref: 00454E9C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$TextWindow$74285940CurrentDispatchSendThreadTranslate
                                                                                  • String ID: [Paused]
                                                                                  • API String ID: 3114084439-4230553315
                                                                                  • Opcode ID: 4f798f37858d44f966a921b0a713bfb36e5d8fa224b4acffba2fd680211b14e4
                                                                                  • Instruction ID: c67b15ba7ba9377d1b555b91e6b5493cd0b2d6e8e49ab6c2c63db39a0fb9b19d
                                                                                  • Opcode Fuzzy Hash: 4f798f37858d44f966a921b0a713bfb36e5d8fa224b4acffba2fd680211b14e4
                                                                                  • Instruction Fuzzy Hash: 1831D9319042489EDB11DBBADC46BDE7BB8EB89318F554077F800E7292D73C9949C728
                                                                                  Function 00465948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursor.USER32(00000000,00465A87), ref: 00465A04
                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00465A12
                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,00465A87), ref: 00465A18
                                                                                  • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,00465A87), ref: 00465A22
                                                                                  • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,00465A87), ref: 00465A28
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$LoadSleep
                                                                                  • String ID: CheckPassword
                                                                                  • API String ID: 4023313301-1302249611
                                                                                  • Opcode ID: 5acb36fa3ab63af13457b52ddd306d446ecbf4b2c6308f3e70f3e2f2757089f7
                                                                                  • Instruction ID: 906901c5ed80ca143d06c2c25e6ac4f6bba4f83609b33dd2e821a61b899a1fac
                                                                                  • Opcode Fuzzy Hash: 5acb36fa3ab63af13457b52ddd306d446ecbf4b2c6308f3e70f3e2f2757089f7
                                                                                  • Instruction Fuzzy Hash: 6231B374644604AFD701EF69C9CAB9E7BE0AF05314F4580B6F9049B3A2EB789E44CB49
                                                                                  Function 00470D68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00470C90: GetWindowThreadProcessId.USER32(00000000), ref: 00470C98
                                                                                    • Part of subcall function 00470C90: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00470D8F,00491F50,00000000), ref: 00470CAB
                                                                                    • Part of subcall function 00470C90: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00470CB1
                                                                                  • SendMessageA.USER32(00000000,0000004A,00000000,00471122), ref: 00470D9D
                                                                                  • GetTickCount.KERNEL32 ref: 00470DE2
                                                                                  • GetTickCount.KERNEL32 ref: 00470DEC
                                                                                  • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00470E41
                                                                                  Strings
                                                                                  • CallSpawnServer: Unexpected status: %d, xrefs: 00470E2A
                                                                                  • CallSpawnServer: Unexpected response: $%x, xrefs: 00470DD2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                  • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                  • API String ID: 613034392-3771334282
                                                                                  • Opcode ID: 2b24747447efea9910953d41e46288f8d27ae03b12631b6b7684711cd3e840e1
                                                                                  • Instruction ID: cff2d624cb7c179440d5232b3ebdd9a31325d9052a06e940395f83d14b46c5bf
                                                                                  • Opcode Fuzzy Hash: 2b24747447efea9910953d41e46288f8d27ae03b12631b6b7684711cd3e840e1
                                                                                  • Instruction Fuzzy Hash: 8931A074B012159EDB10EBB988867EEB7A5AF04304F50853BF148EB392D67C9E01CB9D
                                                                                  Function 0041C0E0 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041BFE0: GetObjectA.GDI32(?,00000018), ref: 0041BFED
                                                                                  • GetFocus.USER32 ref: 0041C100
                                                                                  • 7427A570.USER32(?), ref: 0041C10C
                                                                                  • 74278830.GDI32(?,?,00000000,00000000,0041C18B,?,?), ref: 0041C12D
                                                                                  • 742722A0.GDI32(?,?,?,00000000,00000000,0041C18B,?,?), ref: 0041C139
                                                                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C150
                                                                                  • 74278830.GDI32(?,00000000,00000000,0041C192,?,?), ref: 0041C178
                                                                                  • 7427A480.USER32(?,?,0041C192,?,?), ref: 0041C185
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 742774278830$742722A480A570BitsFocusObject
                                                                                  • String ID:
                                                                                  • API String ID: 3722132614-0
                                                                                  • Opcode ID: 9bc0f7e3173584325c782497405155f3155e601279aa2de4800843ea242170ed
                                                                                  • Instruction ID: fd89d4ca8a39aecffd2b164b8e5ecdcf718e57c46113e586f0865db98b33e030
                                                                                  • Opcode Fuzzy Hash: 9bc0f7e3173584325c782497405155f3155e601279aa2de4800843ea242170ed
                                                                                  • Instruction Fuzzy Hash: 2D113A71A44608BBDB10DBA9CC85FAFB7FCEF48704F15846AB514E7281D67899408B68
                                                                                  Function 00418BEC Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000000E), ref: 00418C08
                                                                                  • GetSystemMetrics.USER32(0000000D), ref: 00418C10
                                                                                  • 6FD82980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C16
                                                                                    • Part of subcall function 00409948: 6FD7C400.COMCTL32(00491628,000000FF,00000000,00418C44,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0040994C
                                                                                  • 6FDECB00.COMCTL32(00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C66
                                                                                  • 6FDEC740.COMCTL32(00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C71
                                                                                  • 6FDECB00.COMCTL32(00491628,00000001,?,?,00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000), ref: 00418C84
                                                                                  • 6FD80860.COMCTL32(00491628,00418CA7,?,00000000,?,00491628,00000000,00000000,00000000,00000000,00418CA0,?,00000000,0000000D,00000000,0000000E), ref: 00418C9A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem$C400C740D80860D82980
                                                                                  • String ID:
                                                                                  • API String ID: 2924641870-0
                                                                                  • Opcode ID: 95b0c7ca0d7cac73c6eea64bc8ab2c9a66b46d4975db43f43db6c18caaa08e82
                                                                                  • Instruction ID: 7d058e0f43661e12853d483bbd2d38206b0156f2441a7355af2e3191ff54fcf4
                                                                                  • Opcode Fuzzy Hash: 95b0c7ca0d7cac73c6eea64bc8ab2c9a66b46d4975db43f43db6c18caaa08e82
                                                                                  • Instruction Fuzzy Hash: 8A116A75B44204BBDB10EBA5DC82F5DB3B8D708714F50446AF504F73D2E9799D408758
                                                                                  Function 0047BB6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047BC24), ref: 0047BC09
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                  • API String ID: 47109696-2530820420
                                                                                  • Opcode ID: 4044e7b086cadd3071d4caf39d8bf01831a59107471790ea0f341c578cb3ef7e
                                                                                  • Instruction ID: c6c292f7dfd23322384e3be2176fee0a6b796c43d5aa8ac4acdd36b8a0573059
                                                                                  • Opcode Fuzzy Hash: 4044e7b086cadd3071d4caf39d8bf01831a59107471790ea0f341c578cb3ef7e
                                                                                  • Instruction Fuzzy Hash: 96118E30704248AFDB02DB618D46BDB7BA8DB55304F51C4BAE805EB296DF7CDA019B9C
                                                                                  Function 0048C53C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,?,?,00000000), ref: 0048C54D
                                                                                    • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0048C56F
                                                                                  • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048C9CD), ref: 0048C583
                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 0048C5A5
                                                                                  • 7427A480.USER32(00000000,00000000,0048C5CF,0048C5C8,?,00000000,?,?,00000000), ref: 0048C5C2
                                                                                  Strings
                                                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048C57A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 7427Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                  • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                  • API String ID: 829082161-222967699
                                                                                  • Opcode ID: 17f16a66e5675f115f6803e4db0079e40b65780344f80d4b010a3b8f4350dcaf
                                                                                  • Instruction ID: 0ff1e4635251b10658a1aad062618ac87834e4e23b153399c5fc0279f3a45a1b
                                                                                  • Opcode Fuzzy Hash: 17f16a66e5675f115f6803e4db0079e40b65780344f80d4b010a3b8f4350dcaf
                                                                                  • Instruction Fuzzy Hash: 46018476A44608BFEB01EBA9CC41F5EB7ECDB49704F51047AF604E7281D678AE008B68
                                                                                  Function 0041B3FA Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B408
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B417
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B443
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B451
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B45F
                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B468
                                                                                  • DeleteDC.GDI32(?), ref: 0041B471
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSelect$Delete$Stretch
                                                                                  • String ID:
                                                                                  • API String ID: 1458357782-0
                                                                                  • Opcode ID: e4e7a4441f722d2d5e932f48c3d098eb8dadb36e85857d194763780bb1c34f35
                                                                                  • Instruction ID: c4fd92bf3a7a130a1ed603e8460332665172ba9f71e0f7226dd7a911700bf555
                                                                                  • Opcode Fuzzy Hash: e4e7a4441f722d2d5e932f48c3d098eb8dadb36e85857d194763780bb1c34f35
                                                                                  • Instruction Fuzzy Hash: 9E114C72E00655ABDF10DAD9D885FAFB3BCEF08704F048456B714FB241C678A8418B54
                                                                                  Function 0042332C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32 ref: 00423347
                                                                                  • WindowFromPoint.USER32(?,?), ref: 00423354
                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423362
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00423369
                                                                                  • SendMessageA.USER32(00000000,00000084,?,?), ref: 00423382
                                                                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423399
                                                                                  • SetCursor.USER32(00000000), ref: 004233AB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1770779139-0
                                                                                  • Opcode ID: 88d8144f2f31a7ce7c9ea2d83b107e499918a2be15bc84e97619d0f120612439
                                                                                  • Instruction ID: 0d08d647db1030bd971df84a08ef481e3cb2fec522b8f416a7975514cb2aaf1d
                                                                                  • Opcode Fuzzy Hash: 88d8144f2f31a7ce7c9ea2d83b107e499918a2be15bc84e97619d0f120612439
                                                                                  • Instruction Fuzzy Hash: E401FC223053103AD610BB795C86F3F22A8DBC5B65F50003FBA05AB282DE3D9D0063AD
                                                                                  Function 0048C360 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048C370
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048C37D
                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048C38A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                  • API String ID: 667068680-2254406584
                                                                                  • Opcode ID: 4e3b24ba4e2ad681dbd9a18b6f22c27088cd2461bd9f99525b144e5dc6aa77c4
                                                                                  • Instruction ID: 943ecad310307e0fc108c7ae822acdd7bbf833ca2338e28bb672ad4384977e7f
                                                                                  • Opcode Fuzzy Hash: 4e3b24ba4e2ad681dbd9a18b6f22c27088cd2461bd9f99525b144e5dc6aa77c4
                                                                                  • Instruction Fuzzy Hash: 77F0C29264171466D610316A1CC1A7F658CCB81B60F148837BE04A6282E9B88C0643B9
                                                                                  Function 0045A9FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045AA05
                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045AA15
                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045AA25
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                  • API String ID: 190572456-212574377
                                                                                  • Opcode ID: 8ce033781a8ebeddff6f210f59c30cce2107159bbf78c1cddf34480e866d2008
                                                                                  • Instruction ID: d57c0fc8ffca2e3895d271b6191988a2064b879c5df64bfdf0a96536cb027f45
                                                                                  • Opcode Fuzzy Hash: 8ce033781a8ebeddff6f210f59c30cce2107159bbf78c1cddf34480e866d2008
                                                                                  • Instruction Fuzzy Hash: 26F0BBB0500306CEEB34DF726D487733695A364346F148177A805652FFDB7C0858CA1D
                                                                                  Function 0044BB78 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E5FD), ref: 0044BB87
                                                                                  • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044BB98
                                                                                  • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044BBA8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                  • API String ID: 2238633743-1050967733
                                                                                  • Opcode ID: 826270591faa91d333e365557f7957eb4608477112023562f10bf7429a104441
                                                                                  • Instruction ID: d4e4756ef9205d43bd93b9f2fef0047ba5620f8f9e99d58699ff538cf8867d60
                                                                                  • Opcode Fuzzy Hash: 826270591faa91d333e365557f7957eb4608477112023562f10bf7429a104441
                                                                                  • Instruction Fuzzy Hash: A4F0FE702407C3CAEB11DBE59C85B5233A4D720709F10157BE013595F5D7BCA448CB4C
                                                                                  Function 0042E734 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048CACE,QueryCancelAutoPlay,0048FB77), ref: 0042E74A
                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E750
                                                                                  • InterlockedExchange.KERNEL32(00491660,00000001), ref: 0042E761
                                                                                  • ChangeWindowMessageFilter.USER32(0000C1C1,00000001), ref: 0042E772
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                  • API String ID: 1365377179-2498399450
                                                                                  • Opcode ID: 798f4d3b9e42d6978647b9e491d5591a8efc67b597b1aacdaccc600c80670fcf
                                                                                  • Instruction ID: 71b351e1e5f00bce675c0894c61af028bda518588696eba08359233394634fc9
                                                                                  • Opcode Fuzzy Hash: 798f4d3b9e42d6978647b9e491d5591a8efc67b597b1aacdaccc600c80670fcf
                                                                                  • Instruction Fuzzy Hash: 88E0ECA1B41311EBEA217BB2AD8AFAA29949768796F980037F101651F2C6BD0C40C91C
                                                                                  Function 00471A50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0048FB6D), ref: 00471A56
                                                                                  • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00471A63
                                                                                  • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00471A73
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                  • API String ID: 667068680-222143506
                                                                                  • Opcode ID: ebb4d520ae13cb97b16c5c29354c01da17355d9db3788449d9a67f370f92728d
                                                                                  • Instruction ID: 2b16cd99005f431ceeee0c6555dc68e2f38eb24f43a8145ab69f237294a12076
                                                                                  • Opcode Fuzzy Hash: ebb4d520ae13cb97b16c5c29354c01da17355d9db3788449d9a67f370f92728d
                                                                                  • Instruction Fuzzy Hash: AEC012F0742705EDDB00E7F55DC2EB6224CC500B68324807BB04A791F2D67C0C005A1C
                                                                                  Function 0041B604 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFocus.USER32 ref: 0041B6DD
                                                                                  • 7427A570.USER32(?), ref: 0041B6E9
                                                                                  • 74278830.GDI32(00000000,?,00000000,00000000,0041B7B4,?,?), ref: 0041B71E
                                                                                  • 742722A0.GDI32(00000000,00000000,?,00000000,00000000,0041B7B4,?,?), ref: 0041B72A
                                                                                  • 74286310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B792,?,00000000,0041B7B4,?,?), ref: 0041B758
                                                                                  • 74278830.GDI32(00000000,00000000,00000000,0041B799,?,?,00000000,00000000,0041B792,?,00000000,0041B7B4,?,?), ref: 0041B78C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 74278830$742774272274286310A570Focus
                                                                                  • String ID:
                                                                                  • API String ID: 167376926-0
                                                                                  • Opcode ID: f53375fea2c14aec1dd0b3c366ecbc4f7394b685d47006b1a6009aa808e22028
                                                                                  • Instruction ID: 9263689457b9b60da4e063059f7192553b8052dfbed08377d8a6f8e3cdee306c
                                                                                  • Opcode Fuzzy Hash: f53375fea2c14aec1dd0b3c366ecbc4f7394b685d47006b1a6009aa808e22028
                                                                                  • Instruction Fuzzy Hash: A1512070A002099FCF11DFA9C891AEEBBF4EF49704F11446AF514A7790D7789D81CBA9
                                                                                  Function 0041B8D4 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFocus.USER32 ref: 0041B9AF
                                                                                  • 7427A570.USER32(?), ref: 0041B9BB
                                                                                  • 74278830.GDI32(00000000,?,00000000,00000000,0041BA81,?,?), ref: 0041B9F5
                                                                                  • 742722A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA81,?,?), ref: 0041BA01
                                                                                  • 74286310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA5F,?,00000000,0041BA81,?,?), ref: 0041BA25
                                                                                  • 74278830.GDI32(00000000,00000000,00000000,0041BA66,?,?,00000000,00000000,0041BA5F,?,00000000,0041BA81,?,?), ref: 0041BA59
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 74278830$742774272274286310A570Focus
                                                                                  • String ID:
                                                                                  • API String ID: 167376926-0
                                                                                  • Opcode ID: acf7b2796d4f962d1590192a83af5495e17748890643173340c072385438d863
                                                                                  • Instruction ID: 2f04e07915eadb46d9d3a1ac8f3261e0c8370589b402f14cf3ed0d868b4f2d80
                                                                                  • Opcode Fuzzy Hash: acf7b2796d4f962d1590192a83af5495e17748890643173340c072385438d863
                                                                                  • Instruction Fuzzy Hash: 3B512A75A006189FCB11DFA9C891AAEBBF9EF49700F118066F904EB351D738AD40CBA4
                                                                                  Function 0041B4A0 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFocus.USER32 ref: 0041B516
                                                                                  • 7427A570.USER32(?,00000000,0041B5F0,?,?,?,?), ref: 0041B522
                                                                                  • 74284620.GDI32(?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0,?,?,?,?), ref: 0041B53E
                                                                                  • 742AE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0,?,?,?,?), ref: 0041B55B
                                                                                  • 742AE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B5C4,?,?,00000000,0041B5F0), ref: 0041B572
                                                                                  • 7427A480.USER32(?,?,0041B5CB,?,?), ref: 0041B5BE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 7427E680$74284620A480A570Focus
                                                                                  • String ID:
                                                                                  • API String ID: 3042314804-0
                                                                                  • Opcode ID: 5db8d68a65205efb5222c7e75aeccd35a7f0c5ceba2ec80a25403ba1a7dc1cbb
                                                                                  • Instruction ID: 15194d2eca39cd0cd3e706da9045a3d70fad82d14a0a055a4a4dd9c2f9652b7b
                                                                                  • Opcode Fuzzy Hash: 5db8d68a65205efb5222c7e75aeccd35a7f0c5ceba2ec80a25403ba1a7dc1cbb
                                                                                  • Instruction Fuzzy Hash: AC41B571A04258AFCB10DFA9C885A9FBBF5EF49704F1584AAF940EB351D3389D10CBA5
                                                                                  Function 00457074 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,02163888,00000FFF,00000000,004571A0,?,?,00000000,00000000), ref: 004570DB
                                                                                    • Part of subcall function 004569B4: CloseHandle.KERNEL32(?), ref: 004569EB
                                                                                    • Part of subcall function 004569B4: WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456A15
                                                                                    • Part of subcall function 004569B4: GetExitCodeProcess.KERNEL32(?), ref: 00456A26
                                                                                    • Part of subcall function 004569B4: CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A6D
                                                                                    • Part of subcall function 004569B4: Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456A89
                                                                                    • Part of subcall function 004569B4: TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456A07
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
                                                                                  • String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
                                                                                  • API String ID: 3965036325-83444288
                                                                                  • Opcode ID: 6daf1da1e84df6570a4e7e72701cca9b80f255e0435cd49bed15a798444fa64e
                                                                                  • Instruction ID: 985d50c3f9d90ea0a1834a165dc9ddf0c771a046af542e078957fd21308b1662
                                                                                  • Opcode Fuzzy Hash: 6daf1da1e84df6570a4e7e72701cca9b80f255e0435cd49bed15a798444fa64e
                                                                                  • Instruction Fuzzy Hash: 2A31A470708A04ABE710EB7AD842A5AB7E9EF44346F54847BBC04D7353DA3C9E09C65D
                                                                                  Function 0045A3C0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetLastError.KERNEL32(00000057,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A42B
                                                                                  • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045A4F8,?,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A46A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                  • API String ID: 1452528299-1580325520
                                                                                  • Opcode ID: 7be26965263f2104088d498dff14b54dbdb0b4d3a14f3140c27da49f3f9a45ff
                                                                                  • Instruction ID: dfb1858b14f89fdca8190fc2c0647b683eaa5ab539ba30ab43b812f68ee1a19b
                                                                                  • Opcode Fuzzy Hash: 7be26965263f2104088d498dff14b54dbdb0b4d3a14f3140c27da49f3f9a45ff
                                                                                  • Instruction Fuzzy Hash: 0E11EB34204204AFD711DBD1C949A9E7A9CD746306F6082777D0456383D5BC5F1A952F
                                                                                  Function 0041BD24 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BD6D
                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BD77
                                                                                  • 7427A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD81
                                                                                  • 74284620.GDI32(00000000,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDA8
                                                                                  • 74284620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDB5
                                                                                  • 7427A480.USER32(00000000,00000000,0041BDFB,0000000E,00000000,0041BDF4,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDEE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 742774284620MetricsSystem$A480A570
                                                                                  • String ID:
                                                                                  • API String ID: 1789013595-0
                                                                                  • Opcode ID: 3a519e38e7533d4cd4c1fd1caceb06c8e163cd4f2e65891d629d788219c09a9e
                                                                                  • Instruction ID: ddc18b353f0c64b41945af083e4deb6b0f211661b4b6c1505d7e366f828bd8de
                                                                                  • Opcode Fuzzy Hash: 3a519e38e7533d4cd4c1fd1caceb06c8e163cd4f2e65891d629d788219c09a9e
                                                                                  • Instruction Fuzzy Hash: F3215974E04649AFEB04EFA9C842BEEB7B4EB48704F10802AF510BB681D7785941CF69
                                                                                  Function 00476AC4 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00476AD2
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00466F4D), ref: 00476AF8
                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00476B08
                                                                                  • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00476B29
                                                                                  • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00476B3D
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00476B59
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long$Show
                                                                                  • String ID:
                                                                                  • API String ID: 3609083571-0
                                                                                  • Opcode ID: 760f074fa72b40526fddec861e4e7f7314de86f1f646db28ab4d1345c81cc1c6
                                                                                  • Instruction ID: 4a72d8aa8c56eced60dbf9c54b91bafb0241cd17110e70703b3e3484a5e45396
                                                                                  • Opcode Fuzzy Hash: 760f074fa72b40526fddec861e4e7f7314de86f1f646db28ab4d1345c81cc1c6
                                                                                  • Instruction Fuzzy Hash: DA0100756416106BD700D7A8CD41F6637DDAB1E320F0A4666B955DF3E2C629E8408B58
                                                                                  Function 0041B208 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A678: CreateBrushIndirect.GDI32 ref: 0041A6E3
                                                                                  • UnrealizeObject.GDI32(00000000), ref: 0041B214
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B226
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B249
                                                                                  • SetBkMode.GDI32(?,00000002), ref: 0041B254
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B26F
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0041B27A
                                                                                    • Part of subcall function 00419FF0: GetSysColor.USER32(?), ref: 00419FFA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                  • String ID:
                                                                                  • API String ID: 3527656728-0
                                                                                  • Opcode ID: a4395bd008d3f3994e0e5a4286e89670886e82a8083edb378fa98ad189851495
                                                                                  • Instruction ID: 108304aa2ca1b7da7e62bbcd071f6155afd7513013abbc8791340d3ad5d25070
                                                                                  • Opcode Fuzzy Hash: a4395bd008d3f3994e0e5a4286e89670886e82a8083edb378fa98ad189851495
                                                                                  • Instruction Fuzzy Hash: A7F0BFB1151500ABCF00FFBAD9CAE5B27A89F443097088057B944DF19BC938DC518B39
                                                                                  Function 0046FE98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 0046FEEE
                                                                                  • 742859E0.USER32(00000000,000000FC,0046FE4C,00000000,0047007E,?,00000000,004700A3), ref: 0046FF15
                                                                                  • GetACP.KERNEL32(00000000,0047007E,?,00000000,004700A3), ref: 0046FF52
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046FF98
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 742859ClassInfoMessageSend
                                                                                  • String ID: COMBOBOX
                                                                                  • API String ID: 1333258245-1136563877
                                                                                  • Opcode ID: ed9dfa75f4c8d360731416eb999a4aa66e98f50d8d76bad7acd2ea423bac2f39
                                                                                  • Instruction ID: 34999040898945efd7bf9774008312f26667484ef2a160594c613f8c803993ab
                                                                                  • Opcode Fuzzy Hash: ed9dfa75f4c8d360731416eb999a4aa66e98f50d8d76bad7acd2ea423bac2f39
                                                                                  • Instruction Fuzzy Hash: EF518030600245EFCB50DF69E885B99B7B5EB09714F1081B7E804EB3A2DB34AD45CB58
                                                                                  Function 0048EE24 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                                  • ShowWindow.USER32(?,00000005,00000000,0048F05C,?,?,00000000), ref: 0048EE5A
                                                                                    • Part of subcall function 0042D798: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7AB
                                                                                    • Part of subcall function 00407238: SetCurrentDirectoryA.KERNEL32(00000000,?,0048EE82,00000000,0048F028,?,?,00000005,00000000,0048F05C,?,?,00000000), ref: 00407243
                                                                                    • Part of subcall function 0042D320: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3AE,?,?,00000000,?,?,0048EE8C,00000000,0048F028,?,?,00000005), ref: 0042D355
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                  • String ID: .dat$.msg$IMsg$Uninstall
                                                                                  • API String ID: 3312786188-1660910688
                                                                                  • Opcode ID: 89aaab86eebdfb02b9e2b8e446069827cd063c739e1b0438e722919dc2f4d9f0
                                                                                  • Instruction ID: e953af1becc893fd7b4a2d92d2dfc468d03227211ff677cbd897ed5c0636aa5d
                                                                                  • Opcode Fuzzy Hash: 89aaab86eebdfb02b9e2b8e446069827cd063c739e1b0438e722919dc2f4d9f0
                                                                                  • Instruction Fuzzy Hash: E6319334A00604AFD710FFB5CD5295E7BB5EB49304B918876F900AB3A2D77DAD05CB98
                                                                                  Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlInitializeCriticalSection.KERNEL32(00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • RtlEnterCriticalSection.KERNEL32(00491420,00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • RtlLeaveCriticalSection.KERNEL32(00491420,00401A89,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                  • String ID: \~
                                                                                  • API String ID: 730355536-1166203647
                                                                                  • Opcode ID: 79e9dac46c8aaeed53ee9c5f646d3f1e5cadfb67f957e71d22379573a7e76d2f
                                                                                  • Instruction ID: b3d2bc59f151f41c0eabde12bfc62168f6f77712819aedb873599e1a68e1a200
                                                                                  • Opcode Fuzzy Hash: 79e9dac46c8aaeed53ee9c5f646d3f1e5cadfb67f957e71d22379573a7e76d2f
                                                                                  • Instruction Fuzzy Hash: 6501C0706442425EFB19AB6998027253ED4D79D788F51843BF440A7AF1C67C4880CB2D
                                                                                  Function 00455ACC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455AFC
                                                                                  • GetExitCodeProcess.KERNEL32(?,0048F733), ref: 00455B1D
                                                                                  • CloseHandle.KERNEL32(?,00455B50,?,?,kcE,00000000,00000000), ref: 00455B43
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                  • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                  • API String ID: 2573145106-3235461205
                                                                                  • Opcode ID: cbbb06d9bad31b439cba8717d06d469a5d4c1a803a701f517ddf0524c4dc77b5
                                                                                  • Instruction ID: 48fa93de125c22366ce476b0a639e770b096c34d87a5e80965ab2036791bda1c
                                                                                  • Opcode Fuzzy Hash: cbbb06d9bad31b439cba8717d06d469a5d4c1a803a701f517ddf0524c4dc77b5
                                                                                  • Instruction Fuzzy Hash: 1001A230A00A09AFDB21EBA98C66B3A73A8EB49714F604577F910D73D2D638BD048659
                                                                                  Function 00470C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00470C98
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00470D8F,00491F50,00000000), ref: 00470CAB
                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00470CB1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                  • String ID: AllowSetForegroundWindow$user32.dll
                                                                                  • API String ID: 1782028327-3855017861
                                                                                  • Opcode ID: ba85fcf1da409c7155cf3be5e84f4fe10c5145e9c7f4b47efe884d8763916793
                                                                                  • Instruction ID: 3424602a847456f4725b68c3def3e962e447e3f4a91fcaf5290cb4c740a1689f
                                                                                  • Opcode Fuzzy Hash: ba85fcf1da409c7155cf3be5e84f4fe10c5145e9c7f4b47efe884d8763916793
                                                                                  • Instruction Fuzzy Hash: D6D09EA1203701ADEA1572B68D46E6F225C9944754B64862BB404E728ADA7CE804496D
                                                                                  Function 00416BC4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • BeginPaint.USER32(00000000,?), ref: 00416BEA
                                                                                  • SaveDC.GDI32(?), ref: 00416C1B
                                                                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CDD), ref: 00416C7C
                                                                                  • RestoreDC.GDI32(?,?), ref: 00416CA3
                                                                                  • EndPaint.USER32(00000000,?,00416CE4,00000000,00416CDD), ref: 00416CD7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                  • String ID:
                                                                                  • API String ID: 3808407030-0
                                                                                  • Opcode ID: 9dbee4afef3342a1118fe94af4db042876ba076589cd8fbe03d3dafbab9a1917
                                                                                  • Instruction ID: d01cb87f5b59018fc56deeb4e87b7ab8bc0427f6b3bc4af5dc1a1103c08de3bf
                                                                                  • Opcode Fuzzy Hash: 9dbee4afef3342a1118fe94af4db042876ba076589cd8fbe03d3dafbab9a1917
                                                                                  • Instruction Fuzzy Hash: 92413F70A042049FDB14DBA9C585FAAB7F8FF48304F1640AAE8449B362D778DD41CF58
                                                                                  Function 00414798 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 467955183208ce25b054c041a4296c22cdeaecd9d68ca8a84e60d52ec3adc7bc
                                                                                  • Instruction ID: 0b27ab95fc397ea4887dead8241102332a9c138a594af593d7cc3aeb0b08d67b
                                                                                  • Opcode Fuzzy Hash: 467955183208ce25b054c041a4296c22cdeaecd9d68ca8a84e60d52ec3adc7bc
                                                                                  • Instruction Fuzzy Hash: 55310E746047449FC320EB69C584BABB7E8AF89714F04891EF9D5C7791C778EC808B19
                                                                                  Function 00429764 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A0
                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297CF
                                                                                  • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297EB
                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429816
                                                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429834
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: f51c000d5b75d04aa275696eebc01621a37157c7b265c612b2e1571bb09fb902
                                                                                  • Instruction ID: 89df0b0ea6b704c8094771ed204f1775ba8948c405ba470affa89d1326c9a020
                                                                                  • Opcode Fuzzy Hash: f51c000d5b75d04aa275696eebc01621a37157c7b265c612b2e1571bb09fb902
                                                                                  • Instruction Fuzzy Hash: AE21AF70750714BAE710AB67CC82F9BB6ECDB41708F90043EB902AB2D2DB78AD41861C
                                                                                  Function 0041BB50 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BB62
                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BB6C
                                                                                  • 7427A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBAA
                                                                                  • 74286310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD15,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBF1
                                                                                  • DeleteObject.GDI32(00000000), ref: 0041BC32
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem$742774286310A570DeleteObject
                                                                                  • String ID:
                                                                                  • API String ID: 3170013296-0
                                                                                  • Opcode ID: 81c0469bd937656807314b2f160fa72611f686b9a9e4561c5b4ad3645fba98bf
                                                                                  • Instruction ID: db3e645bd233964b4bfb6ef65323c35588abf36d0d90ac3393220eac8c93e687
                                                                                  • Opcode Fuzzy Hash: 81c0469bd937656807314b2f160fa72611f686b9a9e4561c5b4ad3645fba98bf
                                                                                  • Instruction Fuzzy Hash: C4318074E00209EFDB00DFA5C941AAEF7F5EB48704F5085AAF510AB381D7389E80DB98
                                                                                  Function 0046CE8C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0045A3C0: SetLastError.KERNEL32(00000057,00000000,0045A48C,?,?,?,?,00000000), ref: 0045A42B
                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0046CF60,?,?,00000001,00492070), ref: 0046CF19
                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0046CF60,?,?,00000001,00492070), ref: 0046CF2F
                                                                                  Strings
                                                                                  • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046CF23
                                                                                  • Setting permissions on registry key: %s\%s, xrefs: 0046CEDE
                                                                                  • Failed to set permissions on registry key (%d)., xrefs: 0046CF40
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                  • API String ID: 1452528299-4018462623
                                                                                  • Opcode ID: 1558ad47347fe0cb0cb2613aba19e83ad6842849032d35ab6e38b0d9c5d2390b
                                                                                  • Instruction ID: ef7c85a59db57ad542929e1cce8e4a404c5f136f3084124e425ae329c13d753f
                                                                                  • Opcode Fuzzy Hash: 1558ad47347fe0cb0cb2613aba19e83ad6842849032d35ab6e38b0d9c5d2390b
                                                                                  • Instruction Fuzzy Hash: BA21C870A046449FCB04DBAEC8826BEBBE5EF49314F50417BE444E73D2E77C5905876A
                                                                                  Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                  • String ID:
                                                                                  • API String ID: 262959230-0
                                                                                  • Opcode ID: a25dcb7dcef0a7fc2663accc9c98bc47e8be32d0fe9c1fcc61f4f26f659e45fd
                                                                                  • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                  • Opcode Fuzzy Hash: a25dcb7dcef0a7fc2663accc9c98bc47e8be32d0fe9c1fcc61f4f26f659e45fd
                                                                                  • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                  Function 00414378 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 74278830.GDI32(00000000,00000000,00000000), ref: 004143B1
                                                                                  • 742722A0.GDI32(00000000,00000000,00000000,00000000), ref: 004143B9
                                                                                  • 74278830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143CD
                                                                                  • 742722A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143D3
                                                                                  • 7427A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143DE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 74272274278830$7427A480
                                                                                  • String ID:
                                                                                  • API String ID: 163780596-0
                                                                                  • Opcode ID: ac3ba5ec9f47890fe6046dfa189f75fd0bee42a67d05a44b9527fc943465d49f
                                                                                  • Instruction ID: 3a0d44f5d7faf9fe2bb52ae42b51fe77fe62cd6758d91a408017df0657574073
                                                                                  • Opcode Fuzzy Hash: ac3ba5ec9f47890fe6046dfa189f75fd0bee42a67d05a44b9527fc943465d49f
                                                                                  • Instruction Fuzzy Hash: 9401DF3531C3806AD200B63E8C85A9F6BEC8FCA314F05596EF498DB383CA7ACC018765
                                                                                  Function 00472F2C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,004746A6,?,00000000,00000000,00000001,00000000,004731C9,?,00000000), ref: 0047318D
                                                                                  Strings
                                                                                  • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00473001
                                                                                  • Failed to parse "reg" constant, xrefs: 00473194
                                                                                  • .G, xrefs: 00473026
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$.G
                                                                                  • API String ID: 3535843008-3259947705
                                                                                  • Opcode ID: a8ec807fdfd9d288c69130123b0e62607720fcde4ee3a5e8d6a4d6bf2e1d5566
                                                                                  • Instruction ID: d3de52e573be9792d774070a052a544339806b0d6ab8d46a77d771b2b0eca22f
                                                                                  • Opcode Fuzzy Hash: a8ec807fdfd9d288c69130123b0e62607720fcde4ee3a5e8d6a4d6bf2e1d5566
                                                                                  • Instruction Fuzzy Hash: C6816170E00148AFCB10EFA5C485ADEBBF9EF48315F50816AE814A7395DB38AF05DB58
                                                                                  Function 00406F34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F93
                                                                                  • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040700D
                                                                                  • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407065
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Enum$NameOpenResourceUniversal
                                                                                  • String ID: Z
                                                                                  • API String ID: 3604996873-1505515367
                                                                                  • Opcode ID: 4fbae2768792f62ec27454655fe243a80966ce4e8b03315e75fa75894fd07684
                                                                                  • Instruction ID: 735be7eb0b4da2dda06d529e75480a139d3e19f565dfc92d6ef8ab2fa0ce30cd
                                                                                  • Opcode Fuzzy Hash: 4fbae2768792f62ec27454655fe243a80966ce4e8b03315e75fa75894fd07684
                                                                                  • Instruction Fuzzy Hash: 44518270E04208EFDB15EF55C841A9EBBB9EF49304F1081BAE510BB3D1D778AE458B5A
                                                                                  Function 0042E89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • 7427A570.USER32(00000000,00000000,0042E9EF,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8C6
                                                                                    • Part of subcall function 0041A180: CreateFontIndirectA.GDI32(?), ref: 0041A23F
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0042E8E9
                                                                                  • 7427A480.USER32(00000000,?,0042E9D4,00000000,0042E9CD,?,00000000,00000000,0042E9EF,?,?,?,?,00000000,00000000,00000000), ref: 0042E9C7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: 7427$A480A570CreateFontIndirectObjectSelect
                                                                                  • String ID: ...\
                                                                                  • API String ID: 2074263247-983595016
                                                                                  • Opcode ID: 6bac56e0a1e1d030e3442e16f80a86cf89f7188d6604d290fad7fbfa57b2ff83
                                                                                  • Instruction ID: 1aab5199582a6c180f2ff9654c10ae8312a8ca65cc5aa023ecc5a249eb890d51
                                                                                  • Opcode Fuzzy Hash: 6bac56e0a1e1d030e3442e16f80a86cf89f7188d6604d290fad7fbfa57b2ff83
                                                                                  • Instruction Fuzzy Hash: 9B3161B0B00128AFDF11EB9AD841BAEB7F8EF49304F90447BF400A7291C7785E85CA59
                                                                                  Function 00451EB8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FA7
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048E19D,_iu,?,00000000,00451FF2), ref: 00451FB7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle
                                                                                  • String ID: .tmp$_iu
                                                                                  • API String ID: 3498533004-10593223
                                                                                  • Opcode ID: c34424a2c96d0d09866b7ff145e3dc2aae655ba7c79e62e503256b2f29b8af3d
                                                                                  • Instruction ID: 3ec03c526205475de97859747d214e84d91a0a24a25cc78bc42f9ff7b87d07c8
                                                                                  • Opcode Fuzzy Hash: c34424a2c96d0d09866b7ff145e3dc2aae655ba7c79e62e503256b2f29b8af3d
                                                                                  • Instruction Fuzzy Hash: CC31C571A00249ABCB11EB95C982B9EFBB5AF44319F60452AF900B73D2D7785F05C798
                                                                                  Function 0048A0F4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegCloseKey.ADVAPI32(?,0048A1F2,?,?,00000001,00000000,00000000,0048A20D), ref: 0048A1DB
                                                                                  Strings
                                                                                  • %s\%s_is1, xrefs: 0048A16C
                                                                                  • Inno Setup CodeFile: , xrefs: 0048A19E
                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048A14E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                  • API String ID: 47109696-1837835967
                                                                                  • Opcode ID: b624771721beb2404a95d1e83b620549d5a6b172729843f25a0228502058730a
                                                                                  • Instruction ID: a5d615d1b3f8cef788befc11580f5f62f4b91129ed11068eb2387ca442f9be7f
                                                                                  • Opcode Fuzzy Hash: b624771721beb2404a95d1e83b620549d5a6b172729843f25a0228502058730a
                                                                                  • Instruction Fuzzy Hash: BF31B770A042585FDB11EF99CC41A9EBBF9FB48304F90487BE404E7391D7789E118B59
                                                                                  Function 004163A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassInfoA.USER32(00400000,?,?), ref: 00416417
                                                                                  • UnregisterClassA.USER32(?,00400000), ref: 00416443
                                                                                  • RegisterClassA.USER32(?), ref: 00416466
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Class$InfoRegisterUnregister
                                                                                  • String ID: @
                                                                                  • API String ID: 3749476976-2766056989
                                                                                  • Opcode ID: c6f754ddbc1f1592c038d5fd8d8a6edf7e8c30b70e6925c2268abc12fe8df858
                                                                                  • Instruction ID: 8d5fd529f2c4ecc0e90252aabd6d594848dc8255f615fdd73e4063fc75abf067
                                                                                  • Opcode Fuzzy Hash: c6f754ddbc1f1592c038d5fd8d8a6edf7e8c30b70e6925c2268abc12fe8df858
                                                                                  • Instruction Fuzzy Hash: 04318E706042448BD710EF68C981BDB77E9AB84308F04447EF945DB392DB39D984CB6A
                                                                                  Function 0044F4B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 0044F514
                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F556
                                                                                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F587
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$ExecuteShell
                                                                                  • String ID: open
                                                                                  • API String ID: 2179883421-2758837156
                                                                                  • Opcode ID: 360b20596ba14dfcacaf102da6d8fd63a38cba34a27391c9a436a38375e38bd8
                                                                                  • Instruction ID: f6c121e396d337d32eb6a789f445b56fd050c9e01d6657e7198035f37428b3f8
                                                                                  • Opcode Fuzzy Hash: 360b20596ba14dfcacaf102da6d8fd63a38cba34a27391c9a436a38375e38bd8
                                                                                  • Instruction Fuzzy Hash: E7218171E40204BFEB10DFA9CC42B9EB7B8AB44714F20857BB401E7292D6789E058A48
                                                                                  Function 0048F20C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesA.KERNEL32(00000000,0048FAC9,00000000,0048F302,?,?,00000000,00491628), ref: 0048F27C
                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0048FAC9,00000000,0048F302,?,?,00000000,00491628), ref: 0048F2A5
                                                                                  • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0048F2BE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Attributes$Move
                                                                                  • String ID: isRS-%.3u.tmp
                                                                                  • API String ID: 3839737484-3657609586
                                                                                  • Opcode ID: 979824f62d6b447bd564da45f68fcd6230ebe23141ac59a22f77e4fe4f4f358e
                                                                                  • Instruction ID: 61be1f871612b34a02b642c1353b08c71706081479864b0027ec20696c0f7de2
                                                                                  • Opcode Fuzzy Hash: 979824f62d6b447bd564da45f68fcd6230ebe23141ac59a22f77e4fe4f4f358e
                                                                                  • Instruction Fuzzy Hash: A4216171E00209AFCB00FFA9C8819AFB7B8AF48314F10497BB814B72D1D6389E458B59
                                                                                  Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                  • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExitMessageProcess
                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                  • API String ID: 1220098344-2970929446
                                                                                  • Opcode ID: b73e79376dc86986e2de3d6786bf52b89e6212eacab09463d725525c724406b4
                                                                                  • Instruction ID: 4964c014a9b225fdafc930403c361c4a0e2b82a5ec25387492832e0e5010fe64
                                                                                  • Opcode Fuzzy Hash: b73e79376dc86986e2de3d6786bf52b89e6212eacab09463d725525c724406b4
                                                                                  • Instruction Fuzzy Hash: 1F21F564A442838ADB11A775AC817163BC09BE9348F048177E700F77F2C67D8C85C7AE
                                                                                  Function 00454888 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042C6EC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C710
                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004548DC
                                                                                  • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454909
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                  • String ID: LoadTypeLib$RegisterTypeLib
                                                                                  • API String ID: 1312246647-2435364021
                                                                                  • Opcode ID: d3dc71c346485ab3d152acd6a1b73c3d1d2b8f9119836130f7a704a7f5d0f09f
                                                                                  • Instruction ID: a40c1eef011a9d8f1081391c5a779594b5f2855bec7c7bc614a8ea4fb583a791
                                                                                  • Opcode Fuzzy Hash: d3dc71c346485ab3d152acd6a1b73c3d1d2b8f9119836130f7a704a7f5d0f09f
                                                                                  • Instruction Fuzzy Hash: 4911A274B00604AFDB11EFBADD52A4FBBADEB89309B108476B900D7652D6389D44CA18
                                                                                  Function 0047151C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042425C: SetWindowTextA.USER32(?,00000000), ref: 00424274
                                                                                  • GetFocus.USER32 ref: 00471587
                                                                                  • GetKeyState.USER32(0000007A), ref: 00471599
                                                                                  • WaitMessage.USER32(?,00000000,004715C0,?,00000000,004715E7,?,?,00000001,00000000,?,?,?,?,0047882F,00000000), ref: 004715A3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: FocusMessageStateTextWaitWindow
                                                                                  • String ID: Wnd=$%x
                                                                                  • API String ID: 1381870634-2927251529
                                                                                  • Opcode ID: 828e3ca45ad3c698ff01279d0f88c9e1178eb4b3adba419bc918aabddf7aac7b
                                                                                  • Instruction ID: b807fb1c1c56bb812caeb9f7e09dc45766823d636da6ac98dce3b88b01009d44
                                                                                  • Opcode Fuzzy Hash: 828e3ca45ad3c698ff01279d0f88c9e1178eb4b3adba419bc918aabddf7aac7b
                                                                                  • Instruction Fuzzy Hash: 7611E730A00245AFCB04EFA9CC41A9E7BF8EB49714B5184B7F409E7660D7386A00CA69
                                                                                  Function 004684DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 004684E4
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004684F3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$LocalSystem
                                                                                  • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                  • API String ID: 1748579591-1013271723
                                                                                  • Opcode ID: fb15fb04b026a85f908c017f1bb248dc801d3b433c3434c4ad647fe1e632695a
                                                                                  • Instruction ID: 9035fb827cd0b5eb94a962f5192a85958c5040159214465956545233ec111c17
                                                                                  • Opcode Fuzzy Hash: fb15fb04b026a85f908c017f1bb248dc801d3b433c3434c4ad647fe1e632695a
                                                                                  • Instruction Fuzzy Hash: D511F8A540C3919AD340DF2AC44432BBBE4AB89704F048A6FF9D8D6381E779C948DB67
                                                                                  Function 0045244E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045245B
                                                                                    • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00452480
                                                                                    • Part of subcall function 00451A98: GetLastError.KERNEL32(00000000,00452509,00000005,00000000,0045253E,?,?,00000000,00491628,00000004,00000000,00000000,00000000,?,0048F3A1,00000000), ref: 00451A9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$AttributesDeleteErrorLastMove
                                                                                  • String ID: DeleteFile$MoveFile
                                                                                  • API String ID: 3024442154-139070271
                                                                                  • Opcode ID: f9d76b4cab54d59dcaad246f9a984c9d2cb7b2c81c6560c8d50bad456c564c36
                                                                                  • Instruction ID: 7c022ce7fffbf854af2cd73beb00292919fc81d8123a6ea320111c964ace046d
                                                                                  • Opcode Fuzzy Hash: f9d76b4cab54d59dcaad246f9a984c9d2cb7b2c81c6560c8d50bad456c564c36
                                                                                  • Instruction Fuzzy Hash: CAF0A9706042196BE701FBA5D95276EA3ECEB4530AFA0443BB800B76C3EA7C8D09492D
                                                                                  Function 0047BAC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047BB05
                                                                                  • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047BB28
                                                                                  Strings
                                                                                  • System\CurrentControlSet\Control\Windows, xrefs: 0047BAD2
                                                                                  • CSDVersion, xrefs: 0047BAFC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                  • API String ID: 3677997916-1910633163
                                                                                  • Opcode ID: 4ac9a4f0d9e3a3f04f375305fe99a307306476d8f6c0634da4c4ca10b6663b63
                                                                                  • Instruction ID: f9d6470f56a4eb7c7521d5953e5a97fa47e7d60c692ec71961a26f8fc4825788
                                                                                  • Opcode Fuzzy Hash: 4ac9a4f0d9e3a3f04f375305fe99a307306476d8f6c0634da4c4ca10b6663b63
                                                                                  • Instruction Fuzzy Hash: 95F03C75E4020DAADF10DAD18D45BEFB3BCEB04704F108167EA14E7684E778AA04CB99
                                                                                  Function 0042D7C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00452156,00000000,004521F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004524C5,00000000), ref: 0042D7DE
                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7E4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                  • API String ID: 1646373207-4063490227
                                                                                  • Opcode ID: 7c674904f671aebd09d2ab9d8afdbdccb739e222ae58e833903533c7e00c6a52
                                                                                  • Instruction ID: 66c4d429b2bb8bea53b3dd5d96524e1f8f85b807068defc51c0adcd71f910684
                                                                                  • Opcode Fuzzy Hash: 7c674904f671aebd09d2ab9d8afdbdccb739e222ae58e833903533c7e00c6a52
                                                                                  • Instruction Fuzzy Hash: ABE04F61B40B1012D71075BA6C83B5B15898B88B24F94C43B39A4E72C3DEBCD9482A6E
                                                                                  Function 0044ECB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048FB45), ref: 0044ECF3
                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044ECF9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: NotifyWinEvent$user32.dll
                                                                                  • API String ID: 1646373207-597752486
                                                                                  • Opcode ID: 854c6bbe020e6da071b151b7a37b0013c1b1003e38029c843ed5522258a2efe1
                                                                                  • Instruction ID: ebbf3dccc32e5ba6b53a4526e90e44936dd8c09a18a524ea58820243c91103ba
                                                                                  • Opcode Fuzzy Hash: 854c6bbe020e6da071b151b7a37b0013c1b1003e38029c843ed5522258a2efe1
                                                                                  • Instruction Fuzzy Hash: D2E0ECE0E417879DFB00BBB79946B092990B714359B04447BB000A65A6C77D44409E1F
                                                                                  Function 0048F910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048FB91,00000001,00000000,0048FBB5), ref: 0048F91A
                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0048F920
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                  • API String ID: 1646373207-834958232
                                                                                  • Opcode ID: 7703ed9c6d59be89bab22b75cd787685a67b5bcab8d2965a3b4c640d54842158
                                                                                  • Instruction ID: 9748046246e421f12df1761c1623ccfc58d2b16d05e44609c018975195fd515b
                                                                                  • Opcode Fuzzy Hash: 7703ed9c6d59be89bab22b75cd787685a67b5bcab8d2965a3b4c640d54842158
                                                                                  • Instruction Fuzzy Hash: 75B002E164170174991036F20D47B1F044988547757550877B424F61C7DD7C99085A6D
                                                                                  Function 0045F420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0044A9DC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044ECE9,0048FB45), ref: 0044AA03
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AA1B
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AA2D
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AA3F
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AA51
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA63
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AA75
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AA87
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AA99
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AAAB
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AABD
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AACF
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AAE1
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AAF3
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AB05
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AB17
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AB29
                                                                                    • Part of subcall function 0044A9DC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AB3B
                                                                                  • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0048FB63), ref: 0045F42F
                                                                                  • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045F435
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                  • API String ID: 2238633743-2683653824
                                                                                  • Opcode ID: 70d50522bc00947dc78e9d8c65e993543da5849955c29b1ee9488e277c97b5ab
                                                                                  • Instruction ID: 489f3c9072138d942c7d8f7de9f129a04709bb7653bedc0112192cbae7471543
                                                                                  • Opcode Fuzzy Hash: 70d50522bc00947dc78e9d8c65e993543da5849955c29b1ee9488e277c97b5ab
                                                                                  • Instruction Fuzzy Hash: 54B092E0680740A48E00B7BB284BA1B140485A1B0E710847B34007A0D7CF7C501C6E6F
                                                                                  Function 00413C90 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDesktopWindow.USER32 ref: 00413CDE
                                                                                  • GetDesktopWindow.USER32 ref: 00413D96
                                                                                    • Part of subcall function 00418E58: 6FDEC6F0.COMCTL32(?,00000000,00413F5B,00000000,0041406B,?,?,00491628), ref: 00418E74
                                                                                    • Part of subcall function 00418E58: ShowCursor.USER32(00000001,?,00000000,00413F5B,00000000,0041406B,?,?,00491628), ref: 00418E91
                                                                                  • SetCursor.USER32(00000000,?,?,?,?,00413A8B,00000000,00413A9E), ref: 00413DD4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CursorDesktopWindow$Show
                                                                                  • String ID:
                                                                                  • API String ID: 2074268717-0
                                                                                  • Opcode ID: a8e403287ed854eef21bf0b8e16bf44119f7a13ff9f3b19356e0a7d56e8c063c
                                                                                  • Instruction ID: fc7d074f9e2afbbedeeaf2f70ab14b1a39a2a39f4cd9742eeb46a1c6c8001010
                                                                                  • Opcode Fuzzy Hash: a8e403287ed854eef21bf0b8e16bf44119f7a13ff9f3b19356e0a7d56e8c063c
                                                                                  • Instruction Fuzzy Hash: 0A414C79600112AFC700EF29E984B9637E1ABA5325F16847BE416CB375DA38ED81CF5C
                                                                                  Function 004089E4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A05
                                                                                  • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A74
                                                                                  • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B0F
                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B4E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString$FileMessageModuleName
                                                                                  • String ID:
                                                                                  • API String ID: 704749118-0
                                                                                  • Opcode ID: ebd030581ac431f97c2338603ef737fe227fa2e060e8ef1bfaf9cc22063cac2e
                                                                                  • Instruction ID: d45b7975f82c9d70b934f6c50788ad2e06e2971270f8d73bb404f5d5711a2fe4
                                                                                  • Opcode Fuzzy Hash: ebd030581ac431f97c2338603ef737fe227fa2e060e8ef1bfaf9cc22063cac2e
                                                                                  • Instruction Fuzzy Hash: 533161716083819ED330EB65C945BDB77E89B86704F00483FB6C8EB2D1EB799904876B
                                                                                  Function 0044DE2C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044DE75
                                                                                    • Part of subcall function 0044C5E8: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C61A
                                                                                  • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044DEF9
                                                                                    • Part of subcall function 0042BB4C: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB60
                                                                                  • IsRectEmpty.USER32(?), ref: 0044DEBB
                                                                                  • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044DEDE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                  • String ID:
                                                                                  • API String ID: 855768636-0
                                                                                  • Opcode ID: 443ab47adb1ec5c9c35ae6fd72f99f5c857124858bc59851fde32f0e366e849c
                                                                                  • Instruction ID: a13c456d72208a623a7b883bc2c1d4b88f1433389d4f27aa7ab4984ad5729aa9
                                                                                  • Opcode Fuzzy Hash: 443ab47adb1ec5c9c35ae6fd72f99f5c857124858bc59851fde32f0e366e849c
                                                                                  • Instruction Fuzzy Hash: 1B115C72B4030027E610BB7E9C86B6B66C99B88709F15493FB505EB387DE79DC0583A9
                                                                                  Function 0048C8AC Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 0048C910
                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 0048C92B
                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 0048C945
                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 0048C960
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: OffsetRect
                                                                                  • String ID:
                                                                                  • API String ID: 177026234-0
                                                                                  • Opcode ID: 344f90fd973b61dec1719f74986ca825845ed497906d6150224b7383c721799f
                                                                                  • Instruction ID: 42f8aa55f024e3429e2eaa94a5be14035eb449308597c6f44df06c8aab2f85cb
                                                                                  • Opcode Fuzzy Hash: 344f90fd973b61dec1719f74986ca825845ed497906d6150224b7383c721799f
                                                                                  • Instruction Fuzzy Hash: A9217CB67042019BC700EE69CD85E5BB7EEEBD4314F14CA2AF944C724AD634E90487A6
                                                                                  Function 004171B0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32 ref: 004171F8
                                                                                  • SetCursor.USER32(00000000), ref: 0041723B
                                                                                  • GetLastActivePopup.USER32(?), ref: 00417265
                                                                                  • GetForegroundWindow.USER32(?), ref: 0041726C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1959210111-0
                                                                                  • Opcode ID: 49b72ea5b80ad026c74ee01f3b8aa1d70c4e113c6919eb178b0b945e67937c83
                                                                                  • Instruction ID: 474a02dae0bc1cc16c74f463c4dfa897162101ab82a57061081b6ea4e8c8a524
                                                                                  • Opcode Fuzzy Hash: 49b72ea5b80ad026c74ee01f3b8aa1d70c4e113c6919eb178b0b945e67937c83
                                                                                  • Instruction Fuzzy Hash: 7C21C1707442018BC710AB69D844ADB33F1AB28724B1549AFF8159B3A2DB3DCC82CB89
                                                                                  Function 0048C610 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048C625
                                                                                  • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048C639
                                                                                  • MulDiv.KERNEL32(F79033E8,00000008,?), ref: 0048C64D
                                                                                  • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048C66B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c45f815ace7d04306764da949dfdc0a4b8441de88e84914829dbb49b4c4a4f4c
                                                                                  • Instruction ID: b4ebb5979fa4b2e9a5afe8ea56fb1b403c0725f10a041755f011a7e7f9c329d4
                                                                                  • Opcode Fuzzy Hash: c45f815ace7d04306764da949dfdc0a4b8441de88e84914829dbb49b4c4a4f4c
                                                                                  • Instruction Fuzzy Hash: 55112472604204ABCB40EF99D8C4D9B77ECEF4D364B145566F918DB245D634DD408BA8
                                                                                  Function 0041F418 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassInfoA.USER32(00400000,0041F408,?), ref: 0041F439
                                                                                  • UnregisterClassA.USER32(0041F408,00400000), ref: 0041F462
                                                                                  • RegisterClassA.USER32(00490598), ref: 0041F46C
                                                                                  • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F4A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4025006896-0
                                                                                  • Opcode ID: 3680ae8bfdd5854ad182cc3ed0ee75b30f6016c42ee0be15608523d0c0c3bd16
                                                                                  • Instruction ID: e3796a94589284a41c738c5819506084737bfa234d933e9faf155b010baadd2a
                                                                                  • Opcode Fuzzy Hash: 3680ae8bfdd5854ad182cc3ed0ee75b30f6016c42ee0be15608523d0c0c3bd16
                                                                                  • Instruction Fuzzy Hash: 230192712401046FCB10EBA8DC81E9B379CA729314B10423BB905E76E2C73AAC558BAC
                                                                                  Function 00453364 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                                  • CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                  • String ID:
                                                                                  • API String ID: 4071923889-0
                                                                                  • Opcode ID: 464959586153dfe20dd67b28afba754944294a3e2643d9052662c03b5fcfb21b
                                                                                  • Instruction ID: 425b4fcc71ae9d838f4840175c65cc31c3a1e87f24a2de7ee017be576f2ac103
                                                                                  • Opcode Fuzzy Hash: 464959586153dfe20dd67b28afba754944294a3e2643d9052662c03b5fcfb21b
                                                                                  • Instruction Fuzzy Hash: 7A01F970A00208BEEB209FA68C06F6F7A9CDB047A1F600567FD04D72D2C9B99E008668
                                                                                  Function 0040D198 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D1AF
                                                                                  • LoadResource.KERNEL32(00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?,?,004753C4,0000000A,REGDLL_EXE), ref: 0040D1C9
                                                                                  • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?,?,004753C4), ref: 0040D1E3
                                                                                  • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A950,00400000,00000001,00000000,?,0040D10C,00000000,?,00000000,?), ref: 0040D1ED
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                  • String ID:
                                                                                  • API String ID: 3473537107-0
                                                                                  • Opcode ID: ee5e1dc9f5e593ef15a6339409acf10a5561d1cb7b41ebb800b33b29d5258195
                                                                                  • Instruction ID: deda1d1a570b9924e372cdce74b1d0c8dfbf1797afb094277eb0e3b4c0f61081
                                                                                  • Opcode Fuzzy Hash: ee5e1dc9f5e593ef15a6339409acf10a5561d1cb7b41ebb800b33b29d5258195
                                                                                  • Instruction Fuzzy Hash: 21F06DB36046046F8704EE9EA881D6B77DCDE88364320013FF908EB282DA39DD118B78
                                                                                  Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,00491450,?,?,?,004018B4), ref: 00401566
                                                                                  • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,00491450,?,?,?,004018B4), ref: 0040158B
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,00491450,?,?,?,004018B4), ref: 004015B1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$Alloc$Free
                                                                                  • String ID: \~
                                                                                  • API String ID: 3668210933-1166203647
                                                                                  • Opcode ID: 330ddf8eaf9cd8b7ca349f44975019c4a0f720b3395db8ab5c82b4cb6d8a8e52
                                                                                  • Instruction ID: ed267808ba39ab339b4b2d5a34b1d6988c3fb5e87b316149ff14d4d9021f8d0a
                                                                                  • Opcode Fuzzy Hash: 330ddf8eaf9cd8b7ca349f44975019c4a0f720b3395db8ab5c82b4cb6d8a8e52
                                                                                  • Instruction Fuzzy Hash: 61F0C8716403206AEB315A294C85F133AD4DBC5794F104075BE09FF3D9D6B8980082AC
                                                                                  Function 0046A17C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0046A1CD
                                                                                  Strings
                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 0046A1DE
                                                                                  • Setting NTFS compression on file: %s, xrefs: 0046A19B
                                                                                  • Unsetting NTFS compression on file: %s, xrefs: 0046A1B3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                  • API String ID: 1452528299-3038984924
                                                                                  • Opcode ID: 690111c2e8c7d45acf222b1962293f7c5f198cc35ba20f40355524d2a7863f5b
                                                                                  • Instruction ID: 47f7f27018303e4db4ecddab4a834518905ab40d3cfe8eb9630ddd8b6c7f7bb7
                                                                                  • Opcode Fuzzy Hash: 690111c2e8c7d45acf222b1962293f7c5f198cc35ba20f40355524d2a7863f5b
                                                                                  • Instruction Fuzzy Hash: C401A730D0468856CF04D7AD50512DDBBE49F4A314F4482EFA455E7342EB790A088B9B
                                                                                  Function 00454130 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042DC34: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047BAE3,?,00000001,?,?,0047BAE3,?,00000001,00000000), ref: 0042DC50
                                                                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000002,00000000,?,?,00000000,00458D43,?,?,?,?,?,00000000,00458D56), ref: 0045416C
                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,00000002,00000000,?,?,00000000,00458D43,?,?,?,?,?,00000000), ref: 00454175
                                                                                  • RemoveFontResourceA.GDI32(00000000), ref: 00454182
                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454196
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                  • String ID:
                                                                                  • API String ID: 4283692357-0
                                                                                  • Opcode ID: 402524234562bea118e31d4fc97ad2983232b877425af2278bf1a0f8092202f3
                                                                                  • Instruction ID: f199344b5a67d1956bf0936e37952906655f1ab5386cc234ce10b19bfc91f13a
                                                                                  • Opcode Fuzzy Hash: 402524234562bea118e31d4fc97ad2983232b877425af2278bf1a0f8092202f3
                                                                                  • Instruction Fuzzy Hash: 2DF054B574574036EA10B6B69C4BF1B16CC9FA4749F14483BB604EF2C3D97CD844962D
                                                                                  Function 00469884 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 004698D5
                                                                                  Strings
                                                                                  • Unsetting NTFS compression on directory: %s, xrefs: 004698BB
                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 004698E6
                                                                                  • Setting NTFS compression on directory: %s, xrefs: 004698A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                  • API String ID: 1452528299-1392080489
                                                                                  • Opcode ID: c78ea9f0286afc05c8d5c89fa65704261491de887a6efcc99c2b213f602f5caa
                                                                                  • Instruction ID: ef9727caea0d79a2d912489ea4178e414084ad99865ae872d661dd84c5ec7156
                                                                                  • Opcode Fuzzy Hash: c78ea9f0286afc05c8d5c89fa65704261491de887a6efcc99c2b213f602f5caa
                                                                                  • Instruction Fuzzy Hash: 55016770E18248A6CF05EBAD50512EDBBEC9F49314F4481EFA455E7342EAB909088B9B
                                                                                  Function 00475600 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$CountSleepTick
                                                                                  • String ID:
                                                                                  • API String ID: 2227064392-0
                                                                                  • Opcode ID: 995d842a883d5398a2c5c0b428fcdd0dddcf53d93727648de4d3d0850eda6837
                                                                                  • Instruction ID: 08fd6cd2ad76e3b23da8ebc1779cefba9a89fe9837f7ff6aeda7ac42dfd4a830
                                                                                  • Opcode Fuzzy Hash: 995d842a883d5398a2c5c0b428fcdd0dddcf53d93727648de4d3d0850eda6837
                                                                                  • Instruction Fuzzy Hash: FBE09BB2309D4045EA2535BE18C75BF4588CB85364B14553FF18DDE342C49C4D05996E
                                                                                  Function 00471300 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638,?,?,?,?,?,0048FC34), ref: 00471309
                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638), ref: 0047130F
                                                                                  • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000,00479638), ref: 00471331
                                                                                  • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00478DB7,?,?,00000001,00000000,00000002,00000000), ref: 00471342
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                  • String ID:
                                                                                  • API String ID: 215268677-0
                                                                                  • Opcode ID: 04ae2938cf7b607e71cbbb546688db9384a55e4af42e336c3e4b299ee880555f
                                                                                  • Instruction ID: c2edc28ac066cfd51aa3baa8ebbe92a5e72e3efc0c265ece7e5fe74e96fba188
                                                                                  • Opcode Fuzzy Hash: 04ae2938cf7b607e71cbbb546688db9384a55e4af42e336c3e4b299ee880555f
                                                                                  • Instruction Fuzzy Hash: 19F030616443016BE600EAB5CC82EAB77DCEB44354F04893A7E98D72D1D678DC08AB66
                                                                                  Function 004241D8 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastActivePopup.USER32(?), ref: 004241E4
                                                                                  • IsWindowVisible.USER32(?), ref: 004241F5
                                                                                  • IsWindowEnabled.USER32(?), ref: 004241FF
                                                                                  • SetForegroundWindow.USER32(?), ref: 00424209
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                  • String ID:
                                                                                  • API String ID: 2280970139-0
                                                                                  • Opcode ID: 1ab57abcace7edaf0b20be0c4c89584f0552d67733da22874bc818ce831da09e
                                                                                  • Instruction ID: 6e927f23018ccbf172bbe8116e39b175aa94dac4ee353161fd53b24705e9aa1e
                                                                                  • Opcode Fuzzy Hash: 1ab57abcace7edaf0b20be0c4c89584f0552d67733da22874bc818ce831da09e
                                                                                  • Instruction Fuzzy Hash: 63E08C6171253593BA21A63B2981E9B11CCCD563C434610A7BC21F7283DB2CCC8081BC
                                                                                  Function 00406274 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalHandle.KERNEL32 ref: 00406277
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040627E
                                                                                  • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406283
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00406289
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$AllocHandleLockUnlock
                                                                                  • String ID:
                                                                                  • API String ID: 2167344118-0
                                                                                  • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                  • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                  • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                  • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                  Function 0046535C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00465549
                                                                                  • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046554F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$EnableItemSystem
                                                                                  • String ID: CurPageChanged
                                                                                  • API String ID: 3692539535-2490978513
                                                                                  • Opcode ID: 14582f6af01cb1c448c3483150a52922259a7a16d11e6f002746ca479cfd6392
                                                                                  • Instruction ID: 6dfccd792dee10a8ddc6b1ce5ca51da78fdb044aba1dfacf712d53146bfd97c3
                                                                                  • Opcode Fuzzy Hash: 14582f6af01cb1c448c3483150a52922259a7a16d11e6f002746ca479cfd6392
                                                                                  • Instruction Fuzzy Hash: 8CA1E834A04504EFC711EB69DA85AEE73F5EF48704F2540F6E8049B362EB38AE41DB49
                                                                                  Function 00466E3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Failed to proceed to next wizard page; aborting., xrefs: 00466F28
                                                                                  • Failed to proceed to next wizard page; showing wizard., xrefs: 00466F3C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                  • API String ID: 0-1974262853
                                                                                  • Opcode ID: 7bc73c37f7c0a0932c9a7e1681f77de0aa2b39437c0be3336e4ce5822834e31d
                                                                                  • Instruction ID: 4b413c9e45c01387e2ec053e49b0ee0e61424ab654f593ad6fa4ba39452d6d3c
                                                                                  • Opcode Fuzzy Hash: 7bc73c37f7c0a0932c9a7e1681f77de0aa2b39437c0be3336e4ce5822834e31d
                                                                                  • Instruction Fuzzy Hash: 1731B134A04204AFD700EB69D991AAE77F9EB49704F5640FBF80497362E739AE00CA19
                                                                                  Function 00453678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0045370C
                                                                                  • GetLastError.KERNEL32(0000003C,00000000,00453755,?,?,?), ref: 0045371D
                                                                                    • Part of subcall function 00453364: WaitForInputIdle.USER32(?,00000032), ref: 00453390
                                                                                    • Part of subcall function 00453364: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004533B2
                                                                                    • Part of subcall function 00453364: GetExitCodeProcess.KERNEL32(?,?), ref: 004533C1
                                                                                    • Part of subcall function 00453364: CloseHandle.KERNEL32(?,004533EE,004533E7,?,?,?,00000000,?,?,004535C1,?,?,?,00000044,00000000,00000000), ref: 004533E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                                                                  • String ID: <
                                                                                  • API String ID: 35504260-4251816714
                                                                                  • Opcode ID: 3a75e04fd456e85ed3d9637f33109561f7e5f59bb796c52a8a07068b53681de5
                                                                                  • Instruction ID: cd2d9638c9b1948c9357882d32e5db715a7d71646bedac3e5f476f86f67f0d1b
                                                                                  • Opcode Fuzzy Hash: 3a75e04fd456e85ed3d9637f33109561f7e5f59bb796c52a8a07068b53681de5
                                                                                  • Instruction Fuzzy Hash: C82183F0A00209AFDB10DF65D88269E7BE8EF08396F50403AF844E7381D7789E59CB58
                                                                                  Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.KERNEL32(00491420,00000000,)), ref: 004025C7
                                                                                  • RtlLeaveCriticalSection.KERNEL32(00491420,0040263D), ref: 00402630
                                                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00491420,00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00491420,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00491420,00401A89,00000000,00401A82,?,?,0040222E,021B0CA8,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                  • String ID: )
                                                                                  • API String ID: 2227675388-1084416617
                                                                                  • Opcode ID: 208b45cba3b2a3df8931d2293a4abaf6f3730912dc1831b9574c04e8757b61d4
                                                                                  • Instruction ID: 68dbd34ac6f77fd2c03a595fe7d756cb4eba71a2cbf0cff9f63ed6cc7c141560
                                                                                  • Opcode Fuzzy Hash: 208b45cba3b2a3df8931d2293a4abaf6f3730912dc1831b9574c04e8757b61d4
                                                                                  • Instruction Fuzzy Hash: 941131307042006FEB20AB799F1A62A6AD4C799358B60087FF404F32E2D9BD8D42826C
                                                                                  Function 0048DEAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0048DEE3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window
                                                                                  • String ID: /INITPROCWND=$%x $@
                                                                                  • API String ID: 2353593579-4169826103
                                                                                  • Opcode ID: 1f3c84d41e0764525ca55c727aee5074879e0e77746073647ffebb5be6ffe800
                                                                                  • Instruction ID: 855e8ac7723f73ed5e6a380a74a5cf30f24dd7eb9a20ce23bb719821d2503dc4
                                                                                  • Opcode Fuzzy Hash: 1f3c84d41e0764525ca55c727aee5074879e0e77746073647ffebb5be6ffe800
                                                                                  • Instruction Fuzzy Hash: CD119031A082498FDB01EBA4D841BAEBBE8EB59314F10487BE605E72D1D67CA9058B58
                                                                                  Function 00446A84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                  • SysFreeString.OLEAUT32(?), ref: 00446B36
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$AllocByteCharFreeMultiWide
                                                                                  • String ID: NIL Interface Exception$Unknown Method
                                                                                  • API String ID: 3952431833-1023667238
                                                                                  • Opcode ID: f9c513988fd6f76b7f60a244084181380ddd93906d77345ff9c34a9d882a5d74
                                                                                  • Instruction ID: ee4fd1f69f73787f675b99b91a4415e7eeabcf4b79195ce3cbb71b2c928bd55a
                                                                                  • Opcode Fuzzy Hash: f9c513988fd6f76b7f60a244084181380ddd93906d77345ff9c34a9d882a5d74
                                                                                  • Instruction Fuzzy Hash: 751196716002449FEB10DFA5D852A6FBABCEB4A704F52407AF900E7681D679AD00CB6A
                                                                                  Function 0048D700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048D7C8,?,0048D7BC,00000000,0048D7A3), ref: 0048D76E
                                                                                  • CloseHandle.KERNEL32(0048D808,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048D7C8,?,0048D7BC,00000000), ref: 0048D785
                                                                                    • Part of subcall function 0048D658: GetLastError.KERNEL32(00000000,0048D6F0,?,?,?,?), ref: 0048D67C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateErrorHandleLastProcess
                                                                                  • String ID: D
                                                                                  • API String ID: 3798668922-2746444292
                                                                                  • Opcode ID: f636622721b3c3afb54b067b6e3eba4984f215f7ffd14f65c607071d1f3a3e50
                                                                                  • Instruction ID: 584ea8263f4d59fbbd435a1cfbc9f2a88759ffbc8e95f17843dbe1b3b5da52c6
                                                                                  • Opcode Fuzzy Hash: f636622721b3c3afb54b067b6e3eba4984f215f7ffd14f65c607071d1f3a3e50
                                                                                  • Instruction Fuzzy Hash: B90161B1A45248AFDB00EBA1DC82E9FBBACDF08714F51443AF904E72D1E6785E048728
                                                                                  Function 0042DB7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DB90
                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBD0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$EnumQuery
                                                                                  • String ID: Inno Setup: No Icons
                                                                                  • API String ID: 1576479698-2016326496
                                                                                  • Opcode ID: 3eb9ed1d1690eaeb0deb987e737e6f0e3addad57e6e0785e76e80cbf99cc5b2a
                                                                                  • Instruction ID: 8ff6cfe083fc45bea0f17a2353d839f102e9d041656b78535328a3702109bc5f
                                                                                  • Opcode Fuzzy Hash: 3eb9ed1d1690eaeb0deb987e737e6f0e3addad57e6e0785e76e80cbf99cc5b2a
                                                                                  • Instruction Fuzzy Hash: D601A731F493206DF73045156D62F6B5E989B41BA4FA6043BF980EA2C0D698FC05D36E
                                                                                  Function 00454C6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00454C81
                                                                                  • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00454D13
                                                                                  Strings
                                                                                  • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00454CAD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                                                                  • API String ID: 3850602802-809544686
                                                                                  • Opcode ID: 19db5683d168dea6e4d83152c44b51dcfe45a57d8587a1acb01dc6fa8e606b97
                                                                                  • Instruction ID: a1771b126df0c2f2b5e468513a0a06d8436e31110275e3209c4cc1e313f10ddd
                                                                                  • Opcode Fuzzy Hash: 19db5683d168dea6e4d83152c44b51dcfe45a57d8587a1acb01dc6fa8e606b97
                                                                                  • Instruction Fuzzy Hash: 3711E5716443506BE700EB299C81B6F7AD89B91309F05443FFA909F3D2C3B95808CB6A
                                                                                  Function 0046EEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00406EE0: DeleteFileA.KERNEL32(00000000,00491628,0048F6DE,00000000,0048F733,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EEB
                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 0046EF22
                                                                                    • Part of subcall function 0046ED74: GetLastError.KERNEL32(00000000,0046EE60,?,?,?,00492054,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046EEE7,00000001), ref: 0046ED95
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$DeleteErrorLastMove
                                                                                  • String ID: DeleteFile$MoveFile
                                                                                  • API String ID: 3195829115-139070271
                                                                                  • Opcode ID: a2d290e2d7920f97972b3fbb8e5a53964d8c7c7eddb8ccc1216510306661fe99
                                                                                  • Instruction ID: f6697500c5fb3b921b0b40a01fbb3165c23038cdcd264235537eeaaa29907531
                                                                                  • Opcode Fuzzy Hash: a2d290e2d7920f97972b3fbb8e5a53964d8c7c7eddb8ccc1216510306661fe99
                                                                                  • Instruction Fuzzy Hash: 23F0626820025067DF14BB6BC48269737C98F1139D710457BF8546B387FA7E9C0696AF
                                                                                  Function 0048E939 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00453978: GetCurrentProcess.KERNEL32(00000028), ref: 00453987
                                                                                    • Part of subcall function 00453978: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0045398D
                                                                                  • SetForegroundWindow.USER32(?), ref: 0048E96B
                                                                                  Strings
                                                                                  • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0048E996
                                                                                  • Restarting Windows., xrefs: 0048E948
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                  • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                  • API String ID: 3179053593-4147564754
                                                                                  • Opcode ID: 687f6341f5e655f6baef5f59fc286e1d77e19ecc66112b6f847488c30c4ce88e
                                                                                  • Instruction ID: d7f48b500572d221f08d0433beb6f1e3e73c57b452a214f76913a84d9222e07c
                                                                                  • Opcode Fuzzy Hash: 687f6341f5e655f6baef5f59fc286e1d77e19ecc66112b6f847488c30c4ce88e
                                                                                  • Instruction Fuzzy Hash: F70126B46041416BE701F766D542BAE2BD89F85309F9088BBF840A73D3CABD9C49831E
                                                                                  Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(00000000,0048FB0E), ref: 0040334B
                                                                                  • GetCommandLineA.KERNEL32(00000000,0048FB0E), ref: 00403356
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: CommandHandleLineModule
                                                                                  • String ID: 07|
                                                                                  • API String ID: 2123368496-312385953
                                                                                  • Opcode ID: 5f7cb325b816db46cd86521167257bf4681855db1751e353972b4c6774b80fc4
                                                                                  • Instruction ID: 914b231b4da2daf006fdaa6a729c371bd8fd6c894a8d8cd24e0d8bdd98aa04d3
                                                                                  • Opcode Fuzzy Hash: 5f7cb325b816db46cd86521167257bf4681855db1751e353972b4c6774b80fc4
                                                                                  • Instruction Fuzzy Hash: 8AC012609002428AD310AF7558067052A949310309F80407FB104F65F1C67D82405BDD
                                                                                  Function 00453A08 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599489013.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2599451176.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599594393.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.2599690483.00000000004A1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_400000_hAyQbTcI0I.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastSleep
                                                                                  • String ID:
                                                                                  • API String ID: 1458359878-0
                                                                                  • Opcode ID: 2acbd4212af28fca318a14b4e20ab3c6b053ed90dd3a254689500132c8af8c6e
                                                                                  • Instruction ID: f8ebe0f7ab3c318420ec1bfa1f8413b387aeea4ade5d1637cc85a07d52a99d11
                                                                                  • Opcode Fuzzy Hash: 2acbd4212af28fca318a14b4e20ab3c6b053ed90dd3a254689500132c8af8c6e
                                                                                  • Instruction Fuzzy Hash: F6F0B472F00514679F30AD9E9D8196F628CDA943E7720012BFD84EB303E539DF49C6A9

                                                                                  Execution Graph

                                                                                  Execution Coverage:11.3%
                                                                                  Dynamic/Decrypted Code Coverage:83.6%
                                                                                  Signature Coverage:4%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:40
                                                                                  execution_graph 19610 2cd104d 19615 2ce33a4 19610->19615 19621 2ce32a8 19615->19621 19617 2cd1057 19618 2cd1aa9 InterlockedIncrement 19617->19618 19619 2cd105c 19618->19619 19620 2cd1ac5 WSAStartup InterlockedExchange 19618->19620 19620->19619 19622 2ce32b4 __close 19621->19622 19629 2ce8593 19622->19629 19628 2ce32db __close 19628->19617 19646 2ce88ee 19629->19646 19631 2ce32bd 19632 2ce32ec RtlDecodePointer RtlDecodePointer 19631->19632 19633 2ce32c9 19632->19633 19634 2ce3319 19632->19634 19643 2ce32e6 19633->19643 19634->19633 19945 2ce915d 19634->19945 19636 2ce337c RtlEncodePointer RtlEncodePointer 19636->19633 19637 2ce332b 19637->19636 19638 2ce3350 19637->19638 19952 2ce8afc 19637->19952 19638->19633 19640 2ce8afc __realloc_crt 62 API calls 19638->19640 19641 2ce336a RtlEncodePointer 19638->19641 19642 2ce3364 19640->19642 19641->19636 19642->19633 19642->19641 19979 2ce859c 19643->19979 19647 2ce88ff 19646->19647 19648 2ce8912 RtlEnterCriticalSection 19646->19648 19653 2ce8976 19647->19653 19648->19631 19650 2ce8905 19650->19648 19675 2ce8440 19650->19675 19654 2ce8982 __close 19653->19654 19655 2ce89a1 19654->19655 19682 2ce86d4 19654->19682 19663 2ce89c4 __close 19655->19663 19729 2ce8ab5 19655->19729 19661 2ce89ce 19666 2ce88ee __lock 59 API calls 19661->19666 19662 2ce89bf 19734 2ce5e5b 19662->19734 19663->19650 19664 2ce8997 19726 2ce831d 19664->19726 19668 2ce89d5 19666->19668 19669 2ce89fa 19668->19669 19670 2ce89e2 19668->19670 19740 2ce2f74 19669->19740 19737 2ce920c 19670->19737 19673 2ce89ee 19746 2ce8a16 19673->19746 19676 2ce86d4 __FF_MSGBANNER 59 API calls 19675->19676 19677 2ce8448 19676->19677 19678 2ce8731 __NMSG_WRITE 59 API calls 19677->19678 19679 2ce8450 19678->19679 19915 2ce84ef 19679->19915 19749 2cf017e 19682->19749 19684 2ce86db 19685 2ce86e8 19684->19685 19686 2cf017e __FF_MSGBANNER 59 API calls 19684->19686 19687 2ce8731 __NMSG_WRITE 59 API calls 19685->19687 19689 2ce870a 19685->19689 19686->19685 19688 2ce8700 19687->19688 19690 2ce8731 __NMSG_WRITE 59 API calls 19688->19690 19691 2ce8731 19689->19691 19690->19689 19692 2ce874f __NMSG_WRITE 19691->19692 19694 2cf017e __FF_MSGBANNER 55 API calls 19692->19694 19725 2ce8876 19692->19725 19696 2ce8762 19694->19696 19695 2ce88df 19695->19664 19697 2ce887b GetStdHandle 19696->19697 19698 2cf017e __FF_MSGBANNER 55 API calls 19696->19698 19701 2ce8889 _strlen 19697->19701 19697->19725 19699 2ce8773 19698->19699 19699->19697 19700 2ce8785 19699->19700 19700->19725 19771 2cef53d 19700->19771 19703 2ce88c2 WriteFile 19701->19703 19701->19725 19703->19725 19705 2ce87b2 GetModuleFileNameW 19707 2ce87d2 19705->19707 19712 2ce87e2 __NMSG_WRITE 19705->19712 19706 2ce88e3 19708 2ce4f05 __invoke_watson 8 API calls 19706->19708 19709 2cef53d __NMSG_WRITE 55 API calls 19707->19709 19710 2ce88ed 19708->19710 19709->19712 19711 2ce8912 RtlEnterCriticalSection 19710->19711 19715 2ce8976 __mtinitlocknum 55 API calls 19710->19715 19711->19664 19712->19706 19713 2ce8828 19712->19713 19780 2cef5b2 19712->19780 19713->19706 19789 2cef4d1 19713->19789 19717 2ce8905 19715->19717 19717->19711 19720 2ce8440 __amsg_exit 55 API calls 19717->19720 19719 2cef4d1 __NMSG_WRITE 55 API calls 19721 2ce885f 19719->19721 19722 2ce8911 19720->19722 19721->19706 19723 2ce8866 19721->19723 19722->19711 19798 2cf01be RtlEncodePointer 19723->19798 19823 2ce454b 19725->19823 19838 2ce82e9 GetModuleHandleExW 19726->19838 19731 2ce8ac3 19729->19731 19732 2ce89b8 19731->19732 19841 2ce2fac 19731->19841 19858 2ce9505 Sleep 19731->19858 19732->19661 19732->19662 19861 2ce5c72 GetLastError 19734->19861 19736 2ce5e60 19736->19663 19738 2ce921c 19737->19738 19739 2ce9229 InitializeCriticalSectionAndSpinCount 19737->19739 19738->19673 19739->19673 19741 2ce2f7d HeapFree 19740->19741 19745 2ce2fa6 __dosmaperr 19740->19745 19742 2ce2f92 19741->19742 19741->19745 19743 2ce5e5b __cftoa_l 57 API calls 19742->19743 19744 2ce2f98 GetLastError 19743->19744 19744->19745 19745->19673 19914 2ce8a58 RtlLeaveCriticalSection 19746->19914 19748 2ce8a1d 19748->19663 19750 2cf0188 19749->19750 19751 2ce5e5b __cftoa_l 59 API calls 19750->19751 19752 2cf0192 19750->19752 19753 2cf01ae 19751->19753 19752->19684 19756 2ce4ef5 19753->19756 19759 2ce4eca RtlDecodePointer 19756->19759 19760 2ce4edd 19759->19760 19765 2ce4f05 IsProcessorFeaturePresent 19760->19765 19763 2ce4eca __cftoa_l 8 API calls 19764 2ce4f01 19763->19764 19764->19684 19766 2ce4f10 19765->19766 19767 2ce4d98 __call_reportfault 7 API calls 19766->19767 19768 2ce4f25 19767->19768 19769 2ce9513 __invoke_watson GetCurrentProcess TerminateProcess 19768->19769 19770 2ce4ef4 19769->19770 19770->19763 19772 2cef556 19771->19772 19773 2cef548 19771->19773 19774 2ce5e5b __cftoa_l 59 API calls 19772->19774 19773->19772 19778 2cef56f 19773->19778 19775 2cef560 19774->19775 19776 2ce4ef5 __cftoa_l 9 API calls 19775->19776 19777 2ce87a5 19776->19777 19777->19705 19777->19706 19778->19777 19779 2ce5e5b __cftoa_l 59 API calls 19778->19779 19779->19775 19784 2cef5c0 19780->19784 19781 2cef5c4 19782 2ce5e5b __cftoa_l 59 API calls 19781->19782 19783 2cef5c9 19781->19783 19788 2cef5f4 19782->19788 19783->19713 19784->19781 19784->19783 19786 2cef603 19784->19786 19785 2ce4ef5 __cftoa_l 9 API calls 19785->19783 19786->19783 19787 2ce5e5b __cftoa_l 59 API calls 19786->19787 19787->19788 19788->19785 19790 2cef4eb 19789->19790 19793 2cef4dd 19789->19793 19791 2ce5e5b __cftoa_l 59 API calls 19790->19791 19792 2cef4f5 19791->19792 19794 2ce4ef5 __cftoa_l 9 API calls 19792->19794 19793->19790 19796 2cef517 19793->19796 19795 2ce8848 19794->19795 19795->19706 19795->19719 19796->19795 19797 2ce5e5b __cftoa_l 59 API calls 19796->19797 19797->19792 19799 2cf01f2 ___crtIsPackagedApp 19798->19799 19800 2cf02b1 IsDebuggerPresent 19799->19800 19801 2cf0201 LoadLibraryExW 19799->19801 19802 2cf02bb 19800->19802 19803 2cf02d6 19800->19803 19804 2cf023e GetProcAddress 19801->19804 19805 2cf0218 GetLastError 19801->19805 19808 2cf02c9 19802->19808 19809 2cf02c2 OutputDebugStringW 19802->19809 19803->19808 19810 2cf02db RtlDecodePointer 19803->19810 19807 2cf0252 7 API calls 19804->19807 19813 2cf02ce 19804->19813 19806 2cf0227 LoadLibraryExW 19805->19806 19805->19813 19806->19804 19806->19813 19811 2cf02ae 19807->19811 19812 2cf029a GetProcAddress RtlEncodePointer 19807->19812 19808->19813 19817 2cf0302 RtlDecodePointer RtlDecodePointer 19808->19817 19821 2cf031a 19808->19821 19809->19808 19810->19813 19811->19800 19812->19811 19814 2ce454b __call_reportfault 6 API calls 19813->19814 19819 2cf03a0 19814->19819 19815 2cf033e RtlDecodePointer 19815->19813 19816 2cf0352 RtlDecodePointer 19816->19815 19820 2cf0359 19816->19820 19817->19821 19819->19725 19820->19815 19821->19815 19821->19816 19824 2ce4555 IsProcessorFeaturePresent 19823->19824 19825 2ce4553 19823->19825 19827 2ce958f 19824->19827 19825->19695 19830 2ce953e IsDebuggerPresent 19827->19830 19831 2ce9553 __call_reportfault 19830->19831 19836 2ce9528 SetUnhandledExceptionFilter UnhandledExceptionFilter 19831->19836 19833 2ce955b __call_reportfault 19837 2ce9513 GetCurrentProcess TerminateProcess 19833->19837 19835 2ce9578 19835->19695 19836->19833 19837->19835 19839 2ce8314 ExitProcess 19838->19839 19840 2ce8302 GetProcAddress 19838->19840 19840->19839 19842 2ce3027 19841->19842 19855 2ce2fb8 19841->19855 19843 2ce8204 _malloc RtlDecodePointer 19842->19843 19845 2ce302d 19843->19845 19844 2ce2fc3 19846 2ce86d4 __FF_MSGBANNER 58 API calls 19844->19846 19849 2ce8731 __NMSG_WRITE 58 API calls 19844->19849 19854 2ce831d _malloc 3 API calls 19844->19854 19844->19855 19847 2ce5e5b __cftoa_l 58 API calls 19845->19847 19846->19844 19850 2ce301f 19847->19850 19848 2ce2feb RtlAllocateHeap 19848->19850 19848->19855 19849->19844 19850->19731 19851 2ce3013 19853 2ce5e5b __cftoa_l 58 API calls 19851->19853 19856 2ce3011 19853->19856 19854->19844 19855->19844 19855->19848 19855->19851 19855->19856 19859 2ce8204 RtlDecodePointer 19855->19859 19857 2ce5e5b __cftoa_l 58 API calls 19856->19857 19857->19850 19858->19731 19860 2ce8217 19859->19860 19860->19855 19875 2ce91cb 19861->19875 19863 2ce5c87 19864 2ce5cd5 SetLastError 19863->19864 19878 2ce8a6d 19863->19878 19864->19736 19868 2ce5cae 19869 2ce5ccc 19868->19869 19870 2ce5cb4 19868->19870 19872 2ce2f74 _free 56 API calls 19869->19872 19887 2ce5ce1 19870->19887 19874 2ce5cd2 19872->19874 19873 2ce5cbc GetCurrentThreadId 19873->19864 19874->19864 19876 2ce91de 19875->19876 19877 2ce91e2 TlsGetValue 19875->19877 19876->19863 19877->19863 19881 2ce8a74 19878->19881 19880 2ce5c9a 19880->19864 19884 2ce91ea 19880->19884 19881->19880 19882 2ce8a92 19881->19882 19897 2cf04b8 19881->19897 19882->19880 19882->19881 19905 2ce9505 Sleep 19882->19905 19885 2ce9204 TlsSetValue 19884->19885 19886 2ce9200 19884->19886 19885->19868 19886->19868 19888 2ce5ced __close 19887->19888 19889 2ce88ee __lock 59 API calls 19888->19889 19890 2ce5d2a 19889->19890 19906 2ce5d82 19890->19906 19893 2ce88ee __lock 59 API calls 19894 2ce5d4b ___addlocaleref 19893->19894 19909 2ce5d8b 19894->19909 19896 2ce5d76 __close 19896->19873 19898 2cf04c3 19897->19898 19903 2cf04de 19897->19903 19899 2cf04cf 19898->19899 19898->19903 19900 2ce5e5b __cftoa_l 58 API calls 19899->19900 19902 2cf04d4 19900->19902 19901 2cf04ee RtlAllocateHeap 19901->19902 19901->19903 19902->19881 19903->19901 19903->19902 19904 2ce8204 _malloc RtlDecodePointer 19903->19904 19904->19903 19905->19882 19912 2ce8a58 RtlLeaveCriticalSection 19906->19912 19908 2ce5d44 19908->19893 19913 2ce8a58 RtlLeaveCriticalSection 19909->19913 19911 2ce5d92 19911->19896 19912->19908 19913->19911 19914->19748 19918 2ce85a5 19915->19918 19917 2ce845b 19919 2ce85b1 __close 19918->19919 19920 2ce88ee __lock 52 API calls 19919->19920 19921 2ce85b8 19920->19921 19922 2ce85e6 RtlDecodePointer 19921->19922 19925 2ce8671 _doexit 19921->19925 19924 2ce85fd RtlDecodePointer 19922->19924 19922->19925 19931 2ce860d 19924->19931 19938 2ce86bf 19925->19938 19927 2ce86ce __close 19927->19917 19929 2ce861a RtlEncodePointer 19929->19931 19930 2ce86b6 19932 2ce86bf 19930->19932 19933 2ce831d _malloc 3 API calls 19930->19933 19931->19925 19931->19929 19935 2ce862a RtlDecodePointer RtlEncodePointer 19931->19935 19934 2ce86cc 19932->19934 19943 2ce8a58 RtlLeaveCriticalSection 19932->19943 19933->19932 19934->19917 19937 2ce863c RtlDecodePointer RtlDecodePointer 19935->19937 19937->19931 19939 2ce869f 19938->19939 19940 2ce86c5 19938->19940 19939->19927 19942 2ce8a58 RtlLeaveCriticalSection 19939->19942 19944 2ce8a58 RtlLeaveCriticalSection 19940->19944 19942->19930 19943->19934 19944->19939 19946 2ce917b RtlSizeHeap 19945->19946 19947 2ce9166 19945->19947 19946->19637 19948 2ce5e5b __cftoa_l 59 API calls 19947->19948 19949 2ce916b 19948->19949 19950 2ce4ef5 __cftoa_l 9 API calls 19949->19950 19951 2ce9176 19950->19951 19951->19637 19954 2ce8b03 19952->19954 19955 2ce8b40 19954->19955 19957 2cf03a4 19954->19957 19978 2ce9505 Sleep 19954->19978 19955->19638 19958 2cf03ad 19957->19958 19959 2cf03b8 19957->19959 19960 2ce2fac _malloc 59 API calls 19958->19960 19961 2cf03c0 19959->19961 19970 2cf03cd 19959->19970 19962 2cf03b5 19960->19962 19963 2ce2f74 _free 59 API calls 19961->19963 19962->19954 19977 2cf03c8 __dosmaperr 19963->19977 19964 2cf0405 19965 2ce8204 _malloc RtlDecodePointer 19964->19965 19967 2cf040b 19965->19967 19966 2cf03d5 RtlReAllocateHeap 19966->19970 19966->19977 19968 2ce5e5b __cftoa_l 59 API calls 19967->19968 19968->19977 19969 2cf0435 19971 2ce5e5b __cftoa_l 59 API calls 19969->19971 19970->19964 19970->19966 19970->19969 19972 2ce8204 _malloc RtlDecodePointer 19970->19972 19974 2cf041d 19970->19974 19973 2cf043a GetLastError 19971->19973 19972->19970 19973->19977 19975 2ce5e5b __cftoa_l 59 API calls 19974->19975 19976 2cf0422 GetLastError 19975->19976 19976->19977 19977->19954 19978->19954 19982 2ce8a58 RtlLeaveCriticalSection 19979->19982 19981 2ce32eb 19981->19628 19982->19981 19983 40d683 19984 40d687 19983->19984 19985 40273f 19984->19985 19997 2ce3d0f 19984->19997 19987 4021f6 19985->19987 19989 40d4c5 GetLocalTime 19985->19989 19991 40d12b 19985->19991 19986 40db38 19987->19986 19988 40d574 GetLastError 19987->19988 19993 401f27 19989->19993 19994 401f3c 19993->19994 20003 401a1d 19994->20003 19996 401f45 19996->19985 19998 2ce3d1d 19997->19998 19999 2ce3d18 19997->19999 20108 2ce3d32 19998->20108 20116 2ceb8e1 19999->20116 20002 2ce3d2b 20002->19985 20004 401a2c 20003->20004 20009 401a4f CreateFileA 20004->20009 20008 401a3e 20008->19996 20010 401a35 20009->20010 20016 401a7d 20009->20016 20017 401b4b LoadLibraryA 20010->20017 20011 401a98 DeviceIoControl 20011->20016 20013 401b3a CloseHandle 20013->20010 20014 401b0e GetLastError 20014->20013 20014->20016 20016->20011 20016->20013 20016->20014 20026 402ca6 20016->20026 20029 402c98 20016->20029 20018 401c21 20017->20018 20019 401b6e GetProcAddress 20017->20019 20018->20008 20020 401c18 FreeLibrary 20019->20020 20024 401b85 20019->20024 20020->20018 20021 401b95 GetAdaptersInfo 20021->20024 20022 402ca6 7 API calls 20022->20024 20023 401c15 20023->20020 20024->20021 20024->20022 20024->20023 20025 402c98 12 API calls 20024->20025 20025->20024 20032 4030a1 20026->20032 20062 403001 20029->20062 20033 402caf 20032->20033 20034 4030ad 20032->20034 20033->20016 20035 4030b7 20034->20035 20036 4030cd 20034->20036 20038 4030f9 HeapFree 20035->20038 20039 4030c3 20035->20039 20037 4030f8 20036->20037 20040 4030e7 20036->20040 20037->20038 20038->20033 20043 40443e 20039->20043 20049 404ecf 20040->20049 20045 40447c 20043->20045 20048 404732 20043->20048 20044 404678 VirtualFree 20046 4046dc 20044->20046 20045->20044 20045->20048 20047 4046eb VirtualFree HeapFree 20046->20047 20046->20048 20047->20048 20048->20033 20050 404f12 20049->20050 20051 404efc 20049->20051 20050->20033 20051->20050 20053 404db6 20051->20053 20056 404dc3 20053->20056 20054 404e73 20054->20050 20055 404de4 VirtualFree 20055->20056 20056->20054 20056->20055 20058 404d60 VirtualFree 20056->20058 20059 404d7d 20058->20059 20060 404dad 20059->20060 20061 404d8d HeapFree 20059->20061 20060->20056 20061->20056 20064 402ca3 20062->20064 20065 403008 20062->20065 20064->20016 20065->20064 20066 40302d 20065->20066 20067 40303c 20066->20067 20072 403051 20066->20072 20074 40304a 20067->20074 20075 404767 20067->20075 20069 403090 HeapAlloc 20070 40309f 20069->20070 20070->20065 20071 40304f 20071->20065 20072->20069 20072->20074 20081 404f14 20072->20081 20074->20069 20074->20070 20074->20071 20078 404799 20075->20078 20076 404838 20079 404847 20076->20079 20095 404b21 20076->20095 20078->20076 20078->20079 20088 404a70 20078->20088 20079->20074 20082 404f22 20081->20082 20083 40500e VirtualAlloc 20082->20083 20084 4050e3 20082->20084 20087 404fdf 20082->20087 20083->20087 20099 404c1c 20084->20099 20087->20074 20089 404ab3 HeapAlloc 20088->20089 20090 404a83 HeapReAlloc 20088->20090 20092 404b03 20089->20092 20093 404ad9 VirtualAlloc 20089->20093 20091 404aa2 20090->20091 20090->20092 20091->20089 20092->20076 20093->20092 20094 404af3 HeapFree 20093->20094 20094->20092 20096 404b33 20095->20096 20096->20096 20097 404b5d VirtualAlloc 20096->20097 20098 404b7c 20097->20098 20098->20079 20100 404c30 HeapAlloc 20099->20100 20101 404c29 20099->20101 20102 404c4d VirtualAlloc 20100->20102 20107 404c85 20100->20107 20101->20102 20103 404d42 20102->20103 20104 404c6d VirtualAlloc 20102->20104 20105 404d4a HeapFree 20103->20105 20103->20107 20106 404d34 VirtualFree 20104->20106 20104->20107 20105->20107 20106->20103 20107->20087 20110 2ce3d3e __close 20108->20110 20109 2ce3d8c ___DllMainCRTStartup 20111 2ce3de9 __close 20109->20111 20113 2ce3dc6 20109->20113 20115 2ce3b9d __CRT_INIT@12 138 API calls 20109->20115 20110->20109 20110->20111 20120 2ce3b9d 20110->20120 20111->20002 20113->20111 20114 2ce3b9d __CRT_INIT@12 138 API calls 20113->20114 20114->20111 20115->20113 20117 2ceb904 20116->20117 20118 2ceb911 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 20116->20118 20117->20118 20119 2ceb908 20117->20119 20118->20119 20119->19998 20121 2ce3ba9 __close 20120->20121 20122 2ce3c2b 20121->20122 20123 2ce3bb1 20121->20123 20125 2ce3c2f 20122->20125 20126 2ce3c94 20122->20126 20168 2ce81e7 GetProcessHeap 20123->20168 20130 2ce3c50 20125->20130 20162 2ce3bba __close __CRT_INIT@12 20125->20162 20269 2ce845c 20125->20269 20128 2ce3c99 20126->20128 20129 2ce3cf7 20126->20129 20127 2ce3bb6 20127->20162 20169 2ce5d94 20127->20169 20131 2ce91cb __CRT_INIT@12 TlsGetValue 20128->20131 20129->20162 20300 2ce5c24 20129->20300 20272 2ce8333 RtlDecodePointer 20130->20272 20136 2ce3ca4 20131->20136 20139 2ce8a6d __calloc_crt 59 API calls 20136->20139 20136->20162 20137 2ce3bc6 __RTC_Initialize 20145 2ce3bd6 GetCommandLineA 20137->20145 20137->20162 20141 2ce3cb5 20139->20141 20140 2ce3c66 __CRT_INIT@12 20296 2ce3c7f 20140->20296 20146 2ce91ea __CRT_INIT@12 TlsSetValue 20141->20146 20141->20162 20142 2ceb57f __ioterm 60 API calls 20144 2ce3c61 20142->20144 20147 2ce5e0a __mtterm 62 API calls 20144->20147 20190 2ceb97d GetEnvironmentStringsW 20145->20190 20149 2ce3ccd 20146->20149 20147->20140 20151 2ce3ceb 20149->20151 20152 2ce3cd3 20149->20152 20155 2ce2f74 _free 59 API calls 20151->20155 20154 2ce5ce1 __initptd 59 API calls 20152->20154 20157 2ce3cdb GetCurrentThreadId 20154->20157 20155->20162 20156 2ce3bf0 20158 2ce3bf4 20156->20158 20222 2ceb5d1 20156->20222 20157->20162 20255 2ce5e0a 20158->20255 20162->20109 20163 2ce3c14 20163->20162 20168->20127 20308 2ce8503 RtlEncodePointer 20169->20308 20171 2ce5d99 20313 2ce8a1f 20171->20313 20174 2ce5da2 20175 2ce5e0a __mtterm 62 API calls 20174->20175 20177 2ce5da7 20175->20177 20177->20137 20179 2ce5dbf 20180 2ce8a6d __calloc_crt 59 API calls 20179->20180 20181 2ce5dcc 20180->20181 20182 2ce5e01 20181->20182 20184 2ce91ea __CRT_INIT@12 TlsSetValue 20181->20184 20183 2ce5e0a __mtterm 62 API calls 20182->20183 20185 2ce5e06 20183->20185 20186 2ce5de0 20184->20186 20185->20137 20186->20182 20187 2ce5de6 20186->20187 20188 2ce5ce1 __initptd 59 API calls 20187->20188 20189 2ce5dee GetCurrentThreadId 20188->20189 20189->20137 20191 2ce3be6 20190->20191 20192 2ceb990 WideCharToMultiByte 20190->20192 20203 2ceb2cb 20191->20203 20194 2ceb9fa FreeEnvironmentStringsW 20192->20194 20195 2ceb9c3 20192->20195 20194->20191 20196 2ce8ab5 __malloc_crt 59 API calls 20195->20196 20197 2ceb9c9 20196->20197 20197->20194 20198 2ceb9d0 WideCharToMultiByte 20197->20198 20199 2ceb9ef FreeEnvironmentStringsW 20198->20199 20200 2ceb9e6 20198->20200 20199->20191 20201 2ce2f74 _free 59 API calls 20200->20201 20202 2ceb9ec 20201->20202 20202->20199 20204 2ceb2d7 __close 20203->20204 20205 2ce88ee __lock 59 API calls 20204->20205 20206 2ceb2de 20205->20206 20207 2ce8a6d __calloc_crt 59 API calls 20206->20207 20209 2ceb2ef 20207->20209 20208 2ceb35a GetStartupInfoW 20216 2ceb36f 20208->20216 20217 2ceb49e 20208->20217 20209->20208 20210 2ceb2fa __close @_EH4_CallFilterFunc@8 20209->20210 20210->20156 20211 2ceb566 20321 2ceb576 20211->20321 20213 2ce8a6d __calloc_crt 59 API calls 20213->20216 20214 2ceb4eb GetStdHandle 20214->20217 20215 2ceb4fe GetFileType 20215->20217 20216->20213 20216->20217 20218 2ceb3bd 20216->20218 20217->20211 20217->20214 20217->20215 20221 2ce920c __mtinitlocks InitializeCriticalSectionAndSpinCount 20217->20221 20218->20217 20219 2ceb3f1 GetFileType 20218->20219 20220 2ce920c __mtinitlocks InitializeCriticalSectionAndSpinCount 20218->20220 20219->20218 20220->20218 20221->20217 20223 2ceb5df 20222->20223 20224 2ceb5e4 GetModuleFileNameA 20222->20224 20331 2ce528a 20223->20331 20226 2ceb611 20224->20226 20325 2ceb684 20226->20325 20228 2ce3c00 20228->20163 20233 2ceb800 20228->20233 20230 2ce8ab5 __malloc_crt 59 API calls 20231 2ceb64a 20230->20231 20231->20228 20256 2ce5e14 20255->20256 20258 2ce5e1a 20255->20258 20507 2ce91ac 20256->20507 20259 2ce8938 RtlDeleteCriticalSection 20258->20259 20260 2ce8954 20258->20260 20261 2ce2f74 _free 59 API calls 20259->20261 20262 2ce8960 RtlDeleteCriticalSection 20260->20262 20263 2ce8973 20260->20263 20261->20258 20262->20260 20263->20162 20270 2ce85a5 _doexit 59 API calls 20269->20270 20271 2ce8467 20270->20271 20271->20130 20273 2ce834d 20272->20273 20274 2ce835f 20272->20274 20273->20274 20276 2ce2f74 _free 59 API calls 20273->20276 20275 2ce2f74 _free 59 API calls 20274->20275 20277 2ce836c 20275->20277 20276->20273 20278 2ce8390 20277->20278 20281 2ce2f74 _free 59 API calls 20277->20281 20279 2ce2f74 _free 59 API calls 20278->20279 20280 2ce839c 20279->20280 20282 2ce2f74 _free 59 API calls 20280->20282 20281->20277 20283 2ce83ad 20282->20283 20284 2ce2f74 _free 59 API calls 20283->20284 20285 2ce83b8 20284->20285 20286 2ce83dd RtlEncodePointer 20285->20286 20289 2ce2f74 _free 59 API calls 20285->20289 20287 2ce83f8 20286->20287 20288 2ce83f2 20286->20288 20291 2ce840e 20287->20291 20294 2ce2f74 _free 59 API calls 20287->20294 20290 2ce2f74 _free 59 API calls 20288->20290 20293 2ce83dc 20289->20293 20290->20287 20292 2ce3c55 20291->20292 20295 2ce2f74 _free 59 API calls 20291->20295 20292->20140 20292->20142 20293->20286 20294->20291 20295->20292 20297 2ce3c83 20296->20297 20298 2ce3c91 20296->20298 20297->20298 20299 2ce5e0a __mtterm 62 API calls 20297->20299 20298->20162 20299->20298 20301 2ce5c31 20300->20301 20307 2ce5c57 20300->20307 20303 2ce91cb __CRT_INIT@12 TlsGetValue 20301->20303 20305 2ce5c3f 20301->20305 20302 2ce91ea __CRT_INIT@12 TlsSetValue 20304 2ce5c4f 20302->20304 20303->20305 20510 2ce5aef 20304->20510 20305->20302 20307->20162 20309 2ce8514 __init_pointers __initp_misc_winsig 20308->20309 20320 2ce3a07 RtlEncodePointer 20309->20320 20311 2ce852c __init_pointers 20312 2ce927a 34 API calls 20311->20312 20312->20171 20314 2ce8a2b 20313->20314 20315 2ce920c __mtinitlocks InitializeCriticalSectionAndSpinCount 20314->20315 20316 2ce5d9e 20314->20316 20315->20314 20316->20174 20317 2ce918e 20316->20317 20318 2ce5db4 20317->20318 20319 2ce91a5 TlsAlloc 20317->20319 20318->20174 20318->20179 20320->20311 20324 2ce8a58 RtlLeaveCriticalSection 20321->20324 20323 2ceb57d 20323->20210 20324->20323 20327 2ceb6a6 20325->20327 20329 2ceb70a 20327->20329 20335 2cf15d6 20327->20335 20328 2ceb627 20328->20228 20328->20230 20329->20328 20330 2cf15d6 _parse_cmdline 59 API calls 20329->20330 20330->20329 20332 2ce529a 20331->20332 20333 2ce5293 20331->20333 20332->20224 20391 2ce55e7 20333->20391 20338 2cf157c 20335->20338 20341 2ce227b 20338->20341 20342 2ce228c 20341->20342 20348 2ce22d9 20341->20348 20348->20327 20392 2ce55f3 __close 20391->20392 20393 2ce5c5a __write_nolock 59 API calls 20392->20393 20394 2ce55fb 20393->20394 20395 2ce5541 _LocaleUpdate::_LocaleUpdate 59 API calls 20394->20395 20508 2ce91bf 20507->20508 20509 2ce91c3 TlsFree 20507->20509 20508->20258 20509->20258 20511 2ce5afb __close 20510->20511 20512 2ce5b14 20511->20512 20513 2ce2f74 _free 59 API calls 20511->20513 20515 2ce5c03 __close 20511->20515 20514 2ce5b23 20512->20514 20516 2ce2f74 _free 59 API calls 20512->20516 20513->20512 20517 2ce5b32 20514->20517 20518 2ce2f74 _free 59 API calls 20514->20518 20515->20307 20516->20514 20519 2ce5b41 20517->20519 20521 2ce2f74 _free 59 API calls 20517->20521 20518->20517 20520 2ce5b50 20519->20520 20522 2ce2f74 _free 59 API calls 20519->20522 20523 2ce5b5f 20520->20523 20524 2ce2f74 _free 59 API calls 20520->20524 20521->20519 20522->20520 20525 2ce5b6e 20523->20525 20526 2ce2f74 _free 59 API calls 20523->20526 20524->20523 20527 2ce5b80 20525->20527 20529 2ce2f74 _free 59 API calls 20525->20529 20526->20525 20528 2ce88ee __lock 59 API calls 20527->20528 20531 2ce5b88 20528->20531 20529->20527 20533 2ce2f74 _free 59 API calls 20531->20533 20535 2ce5bab 20531->20535 20533->20535 20534 2ce88ee __lock 59 API calls 20540 2ce5bbf ___removelocaleref 20534->20540 20542 2ce5c0f 20535->20542 20536 2ce5bf0 20575 2ce5c1b 20536->20575 20539 2ce2f74 _free 59 API calls 20539->20515 20540->20536 20545 2ce4fc5 20540->20545 20578 2ce8a58 RtlLeaveCriticalSection 20542->20578 20544 2ce5bb8 20544->20534 20546 2ce4fda 20545->20546 20547 2ce503e 20545->20547 20546->20547 20549 2ce500b 20546->20549 20557 2ce2f74 _free 59 API calls 20546->20557 20548 2ce2f74 _free 59 API calls 20547->20548 20574 2ce508b 20547->20574 20551 2ce505f 20548->20551 20552 2ce5029 20549->20552 20561 2ce2f74 _free 59 API calls 20549->20561 20553 2ce2f74 _free 59 API calls 20551->20553 20556 2ce2f74 _free 59 API calls 20552->20556 20555 2ce5072 20553->20555 20562 2ce2f74 _free 59 API calls 20555->20562 20563 2ce5033 20556->20563 20565 2ce5000 20557->20565 20558 2ce2f74 _free 59 API calls 20564 2ce50b4 20558->20564 20559 2ce5113 20560 2ce2f74 _free 59 API calls 20559->20560 20566 2ce5119 20560->20566 20567 2ce501e 20561->20567 20568 2ce5080 20562->20568 20569 2ce2f74 _free 59 API calls 20563->20569 20564->20559 20570 2ce2f74 59 API calls _free 20564->20570 20579 2ced3da 20565->20579 20566->20536 20607 2ced4d6 20567->20607 20573 2ce2f74 _free 59 API calls 20568->20573 20569->20547 20570->20564 20573->20574 20574->20564 20619 2ced53d 20574->20619 20795 2ce8a58 RtlLeaveCriticalSection 20575->20795 20577 2ce5bfd 20577->20539 20578->20544 20581 2ced3e9 20579->20581 20606 2ced4d2 20579->20606 20580 2ced3fa 20583 2ced40c 20580->20583 20584 2ce2f74 _free 59 API calls 20580->20584 20581->20580 20582 2ce2f74 _free 59 API calls 20581->20582 20582->20580 20585 2ced41e 20583->20585 20586 2ce2f74 _free 59 API calls 20583->20586 20584->20583 20587 2ced430 20585->20587 20588 2ce2f74 _free 59 API calls 20585->20588 20586->20585 20589 2ced442 20587->20589 20590 2ce2f74 _free 59 API calls 20587->20590 20588->20587 20590->20589 20606->20549 20608 2ced539 20607->20608 20609 2ced4e1 20607->20609 20608->20552 20610 2ced4f1 20609->20610 20611 2ce2f74 _free 59 API calls 20609->20611 20612 2ced503 20610->20612 20613 2ce2f74 _free 59 API calls 20610->20613 20611->20610 20614 2ced515 20612->20614 20615 2ce2f74 _free 59 API calls 20612->20615 20613->20612 20616 2ced527 20614->20616 20617 2ce2f74 _free 59 API calls 20614->20617 20615->20614 20616->20608 20617->20616 20620 2ced54c 20619->20620 20621 2ce50a9 20619->20621 20622 2ce2f74 _free 59 API calls 20620->20622 20621->20558 20623 2ced554 20622->20623 20624 2ce2f74 _free 59 API calls 20623->20624 20625 2ced55c 20624->20625 20626 2ce2f74 _free 59 API calls 20625->20626 20627 2ced564 20626->20627 20795->20577 20796 2cd648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 20797 2cd64f3 GetTickCount 20796->20797 20874 2cd42c7 20796->20874 20875 2cd605a 20797->20875 20876 2ce2fac _malloc 59 API calls 20875->20876 20877 2cd606d 20876->20877 20878 402288 RegQueryValueExA 20879 402333 20878->20879 20880 402233 RegCloseKey 20879->20880 20881 402339 20879->20881 20882 40d0e5 20880->20882 20883 402548 lstrcmpiW 20884 402556 20883->20884 20885 2d42f9d 20886 2d49d45 DnsQuery_A 20885->20886 20887 2d4c92f 20886->20887 20888 40da4f 20889 40da58 LoadLibraryExA 20888->20889 20890 2d16fc1 20891 2d3634c CloseHandle 20890->20891 20892 2cdf99e LoadLibraryA 20893 2cdf9c7 GetProcAddress 20892->20893 20894 2cdfa81 20892->20894 20895 2cdf9db 20893->20895 20896 2cdfa7a FreeLibrary 20893->20896 20897 2cdf9ed GetAdaptersInfo 20895->20897 20898 2cdfa75 20895->20898 20900 2ce3b4c 20895->20900 20896->20894 20897->20895 20898->20896 20903 2ce3b54 20900->20903 20901 2ce2fac _malloc 59 API calls 20901->20903 20902 2ce3b6e 20902->20895 20903->20901 20903->20902 20904 2ce8204 _malloc RtlDecodePointer 20903->20904 20905 2ce3b72 std::exception::exception 20903->20905 20904->20903 20908 2ce455a 20905->20908 20907 2ce3b9c 20909 2ce4579 RaiseException 20908->20909 20909->20907 20911 2cdf89a CreateFileA 20912 2cdf996 20911->20912 20917 2cdf8cb 20911->20917 20913 2cdf8e3 DeviceIoControl 20913->20917 20914 2cdf98c CloseHandle 20914->20912 20915 2cdf958 GetLastError 20915->20914 20915->20917 20916 2ce3b4c _Allocate 60 API calls 20916->20917 20917->20913 20917->20914 20917->20915 20917->20916 20918 2ce9752 20919 2ce975f 20918->20919 20920 2ce8a6d __calloc_crt 59 API calls 20919->20920 20921 2ce9779 20920->20921 20922 2ce9792 20921->20922 20923 2ce8a6d __calloc_crt 59 API calls 20921->20923 20923->20922 20924 40285d Sleep 20925 40db72 20924->20925 20926 40d55d RegCreateKeyExA 20927 40d2de CopyFileA 20928 4022e4 20930 40226c RegSetValueExA 20928->20930 20931 401f64 FindResourceA 20932 401f86 GetLastError SizeofResource 20931->20932 20933 401f9f 20931->20933 20932->20933 20934 401fa6 LoadResource LockResource GlobalAlloc 20932->20934 20935 401fd2 20934->20935 20936 401ffb GetTickCount 20935->20936 20938 402005 GlobalAlloc 20936->20938 20938->20933 20939 40d725 20940 40d728 Sleep 20939->20940 20942 40daa0 20940->20942 20942->20942 20943 2cd72ab InternetOpenA 20944 2cd72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 20943->20944 20959 2cd66f4 _memset shared_ptr 20943->20959 20950 2cd7342 _memset 20944->20950 20945 2cd7322 InternetOpenUrlA 20946 2cd7382 InternetCloseHandle 20945->20946 20945->20950 20946->20959 20947 2cd7346 InternetReadFile 20947->20950 20951 2cd7377 InternetCloseHandle 20947->20951 20948 2cd6708 Sleep 20949 2cd670e RtlEnterCriticalSection RtlLeaveCriticalSection 20948->20949 20949->20959 20950->20945 20950->20947 20951->20946 20952 2cd73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 21054 2ce233c 20952->21054 20954 2ce233c 66 API calls 20954->20959 20955 2ce2fac _malloc 59 API calls 20956 2cd749d RtlEnterCriticalSection RtlLeaveCriticalSection 20955->20956 20956->20959 20957 2cd776a RtlEnterCriticalSection RtlLeaveCriticalSection 20957->20959 20959->20943 20959->20948 20959->20949 20959->20952 20959->20954 20959->20955 20959->20957 20960 2ce2fac 59 API calls _malloc 20959->20960 20963 2cd78e2 RtlEnterCriticalSection 20959->20963 20964 2cd790f RtlLeaveCriticalSection 20959->20964 20969 2ce2f74 59 API calls _free 20959->20969 20971 2cda71c 73 API calls 20959->20971 20972 2ce3b4c _Allocate 60 API calls 20959->20972 20978 2ce35e6 60 API calls _strtok 20959->20978 20982 2cd76ec Sleep 20959->20982 20983 2cd76e7 shared_ptr 20959->20983 20986 2cd5119 20959->20986 21015 2cdac06 20959->21015 21025 2cd61f5 20959->21025 21028 2cd8332 20959->21028 21034 2cdd10e 20959->21034 21039 2cd83e1 20959->21039 21047 2cd33b2 20959->21047 21064 2ce2850 20959->21064 21067 2cd972e 20959->21067 21074 2cda846 20959->21074 21082 2cd4100 20959->21082 21086 2ce2418 20959->21086 21097 2cd1ba7 20959->21097 21113 2cd3d7e 20959->21113 21120 2cd8ffa 20959->21120 21127 2cd534d 20959->21127 20960->20959 20963->20959 20963->20964 21106 2cd3c67 20964->21106 20969->20959 20971->20959 20972->20959 20978->20959 21078 2ce18f0 20982->21078 20983->20982 20987 2cd5123 __EH_prolog 20986->20987 21137 2ce0b10 20987->21137 20990 2cd3c67 72 API calls 20991 2cd514a 20990->20991 20992 2cd3d7e 64 API calls 20991->20992 20993 2cd5158 20992->20993 20994 2cd8332 89 API calls 20993->20994 20995 2cd516c 20994->20995 20998 2cd5322 shared_ptr 20995->20998 21141 2cda71c 20995->21141 20998->20959 20999 2cd51c4 21002 2cda71c 73 API calls 20999->21002 21000 2cd51f6 21001 2cda71c 73 API calls 21000->21001 21004 2cd5207 21001->21004 21003 2cd51d4 21002->21003 21003->20998 21007 2cda71c 73 API calls 21003->21007 21004->20998 21005 2cda71c 73 API calls 21004->21005 21006 2cd524a 21005->21006 21006->20998 21009 2cda71c 73 API calls 21006->21009 21008 2cd52b4 21007->21008 21008->20998 21010 2cda71c 73 API calls 21008->21010 21009->21003 21011 2cd52da 21010->21011 21011->20998 21012 2cda71c 73 API calls 21011->21012 21013 2cd5304 21012->21013 21146 2cdced0 21013->21146 21016 2cdac10 __EH_prolog 21015->21016 21197 2cdd0e5 21016->21197 21018 2cdac31 shared_ptr 21200 2ce20f0 21018->21200 21020 2cdac48 21021 2cdac5e 21020->21021 21206 2cd3fb0 21020->21206 21021->20959 21026 2ce2fac _malloc 59 API calls 21025->21026 21027 2cd6208 21026->21027 21029 2cd834a 21028->21029 21030 2cd836b 21028->21030 21829 2cd95f4 21029->21829 21033 2cd8390 21030->21033 21832 2cd2ac7 21030->21832 21033->20959 21035 2ce0b10 Mailbox 68 API calls 21034->21035 21036 2cdd124 21035->21036 21037 2cdd212 21036->21037 21038 2cd2db5 73 API calls 21036->21038 21037->20959 21038->21036 21040 2cd83fc WSASetLastError shutdown 21039->21040 21041 2cd83ec 21039->21041 21043 2cda500 69 API calls 21040->21043 21042 2ce0b10 Mailbox 68 API calls 21041->21042 21044 2cd83f1 21042->21044 21045 2cd8419 21043->21045 21044->20959 21045->21044 21046 2ce0b10 Mailbox 68 API calls 21045->21046 21046->21044 21048 2cd33c4 InterlockedCompareExchange 21047->21048 21049 2cd33e1 21047->21049 21048->21049 21050 2cd33d6 21048->21050 21051 2cd29ee 76 API calls 21049->21051 21922 2cd32ab 21050->21922 21053 2cd33f1 21051->21053 21053->20959 21055 2ce2348 21054->21055 21056 2ce236b 21054->21056 21055->21056 21058 2ce234e 21055->21058 21975 2ce2383 21056->21975 21059 2ce5e5b __cftoa_l 59 API calls 21058->21059 21061 2ce2353 21059->21061 21060 2ce237e 21060->20959 21062 2ce4ef5 __cftoa_l 9 API calls 21061->21062 21063 2ce235e 21062->21063 21063->20959 21985 2ce286e 21064->21985 21066 2ce2869 21066->20959 21068 2cd9738 __EH_prolog 21067->21068 21069 2cd1ba7 282 API calls 21068->21069 21071 2cd978d 21069->21071 21070 2cd97aa RtlEnterCriticalSection 21072 2cd97c8 RtlLeaveCriticalSection 21070->21072 21073 2cd97c5 21070->21073 21071->21070 21072->20959 21073->21072 21075 2cda850 __EH_prolog 21074->21075 21991 2cddff7 21075->21991 21077 2cda86e shared_ptr 21077->20959 21079 2ce18fd 21078->21079 21080 2ce1921 21078->21080 21079->21080 21081 2ce1911 GetProcessHeap HeapFree 21079->21081 21080->20959 21081->21080 21083 2cd4112 21082->21083 21085 2cd4118 21082->21085 21995 2cda6fa 21083->21995 21085->20959 21087 2ce2449 21086->21087 21088 2ce2434 21086->21088 21087->21088 21089 2ce2450 21087->21089 21090 2ce5e5b __cftoa_l 59 API calls 21088->21090 21997 2ce6050 21089->21997 21092 2ce2439 21090->21092 21094 2ce4ef5 __cftoa_l 9 API calls 21092->21094 21096 2ce2444 21094->21096 21096->20959 22222 2cf53f0 21097->22222 21099 2cd1bb1 RtlEnterCriticalSection 21100 2cd1be9 RtlLeaveCriticalSection 21099->21100 21103 2cd1bd1 21099->21103 22223 2cde327 21100->22223 21102 2cd1c55 RtlLeaveCriticalSection 21102->20959 21103->21100 21103->21102 21104 2cd1c22 21104->21102 21107 2ce0b10 Mailbox 68 API calls 21106->21107 21108 2cd3c7e 21107->21108 22280 2cd3ca2 21108->22280 21114 2cd3d99 htons 21113->21114 21115 2cd3dcb htons 21113->21115 21116 2cd3bd3 60 API calls 21114->21116 22326 2cd3c16 21115->22326 21118 2cd3db7 htonl htonl 21116->21118 21119 2cd3ded 21118->21119 21119->20959 21121 2cd9004 __EH_prolog 21120->21121 22332 2cd373f 21121->22332 21123 2cd901e RtlEnterCriticalSection 21125 2cd902d RtlLeaveCriticalSection 21123->21125 21126 2cd9067 21125->21126 21126->20959 21128 2ce2fac _malloc 59 API calls 21127->21128 21129 2cd5362 SHGetSpecialFolderPathA 21128->21129 21130 2cd5378 21129->21130 22341 2ce3771 21130->22341 21134 2cd53dc 22357 2ce3a84 21134->22357 21136 2cd53e2 21136->20959 21138 2ce0b39 21137->21138 21140 2cd513d 21137->21140 21139 2ce33a4 __cinit 68 API calls 21138->21139 21139->21140 21140->20990 21142 2ce0b10 Mailbox 68 API calls 21141->21142 21145 2cda736 21142->21145 21143 2cd519d 21143->20998 21143->20999 21143->21000 21145->21143 21151 2cd2db5 21145->21151 21147 2ce0b10 Mailbox 68 API calls 21146->21147 21148 2cdceea 21147->21148 21149 2cdcff9 21148->21149 21178 2cd2b95 21148->21178 21149->20998 21152 2cd2dca 21151->21152 21155 2cd2de4 21151->21155 21153 2ce0b10 Mailbox 68 API calls 21152->21153 21159 2cd2dcf 21153->21159 21154 2cd2dfc 21165 2cd2d39 WSASetLastError WSASend 21154->21165 21155->21154 21157 2cd2def 21155->21157 21158 2ce0b10 Mailbox 68 API calls 21157->21158 21158->21159 21159->21145 21160 2cd2e54 WSASetLastError select 21175 2cda500 21160->21175 21162 2ce0b10 68 API calls Mailbox 21163 2cd2e0c 21162->21163 21163->21159 21163->21160 21163->21162 21164 2cd2d39 71 API calls 21163->21164 21164->21163 21166 2cda500 69 API calls 21165->21166 21167 2cd2d6e 21166->21167 21168 2cd2d75 21167->21168 21169 2cd2d82 21167->21169 21170 2ce0b10 Mailbox 68 API calls 21168->21170 21171 2ce0b10 Mailbox 68 API calls 21169->21171 21173 2cd2d7a 21169->21173 21170->21173 21171->21173 21172 2cd2d9c 21172->21163 21173->21172 21174 2ce0b10 Mailbox 68 API calls 21173->21174 21174->21172 21176 2ce0b10 Mailbox 68 API calls 21175->21176 21177 2cda50c WSAGetLastError 21176->21177 21177->21163 21179 2cd2bc7 21178->21179 21180 2cd2bb1 21178->21180 21182 2cd2bd2 21179->21182 21192 2cd2bdf 21179->21192 21181 2ce0b10 Mailbox 68 API calls 21180->21181 21186 2cd2bb6 21181->21186 21184 2ce0b10 Mailbox 68 API calls 21182->21184 21183 2cd2be2 WSASetLastError WSARecv 21185 2cda500 69 API calls 21183->21185 21184->21186 21185->21192 21186->21148 21187 2cd2d22 21193 2cd1996 21187->21193 21188 2ce0b10 68 API calls Mailbox 21188->21192 21190 2cd2cbc WSASetLastError select 21191 2cda500 69 API calls 21190->21191 21191->21192 21192->21183 21192->21186 21192->21187 21192->21188 21192->21190 21194 2cd19bb 21193->21194 21195 2cd199f 21193->21195 21194->21186 21196 2ce33a4 __cinit 68 API calls 21195->21196 21196->21194 21219 2cde277 21197->21219 21199 2cdd0f7 21199->21018 21301 2ce33b9 21200->21301 21202 2ce2114 21202->21020 21203 2ce213d ResumeThread 21203->21020 21205 2ce2136 CloseHandle 21205->21203 21207 2ce0b10 Mailbox 68 API calls 21206->21207 21208 2cd3fb8 21207->21208 21800 2cd1815 21208->21800 21211 2cda682 21212 2cda68c __EH_prolog 21211->21212 21806 2cdcc3a 21212->21806 21220 2cde281 __EH_prolog 21219->21220 21225 2cd4030 21220->21225 21224 2cde2af 21224->21199 21237 2cf53f0 21225->21237 21227 2cd403a GetProcessHeap RtlAllocateHeap 21228 2cd407c 21227->21228 21229 2cd4053 std::exception::exception 21227->21229 21228->21224 21231 2cd408a 21228->21231 21238 2cda6c1 21229->21238 21232 2cd4094 __EH_prolog 21231->21232 21282 2cda2e0 21232->21282 21237->21227 21239 2cda6cb __EH_prolog 21238->21239 21246 2cdcc70 21239->21246 21244 2ce455a __CxxThrowException@8 RaiseException 21245 2cda6f9 21244->21245 21252 2cdd7d0 21246->21252 21249 2cdcc8a 21274 2cdd808 21249->21274 21251 2cda6e8 21251->21244 21255 2ce2513 21252->21255 21258 2ce2541 21255->21258 21259 2ce254f 21258->21259 21260 2cda6da 21258->21260 21264 2ce25d7 21259->21264 21260->21249 21265 2ce2554 21264->21265 21266 2ce25e0 21264->21266 21265->21260 21268 2ce2599 21265->21268 21267 2ce2f74 _free 59 API calls 21266->21267 21267->21265 21269 2ce25a5 _strlen 21268->21269 21270 2ce25ca 21268->21270 21271 2ce2fac _malloc 59 API calls 21269->21271 21270->21260 21272 2ce25b7 21271->21272 21272->21270 21273 2ce6cbc __setenvp 59 API calls 21272->21273 21273->21270 21275 2cdd812 __EH_prolog 21274->21275 21278 2cdb733 21275->21278 21277 2cdd849 Mailbox 21277->21251 21279 2cdb73d __EH_prolog 21278->21279 21280 2ce2513 std::exception::exception 59 API calls 21279->21280 21281 2cdb74e Mailbox 21280->21281 21281->21277 21293 2cdb0f7 21282->21293 21285 2cd3fdc 21300 2cf53f0 21285->21300 21287 2cd3fe6 CreateEventA 21288 2cd3ffd 21287->21288 21289 2cd400f 21287->21289 21290 2cd3fb0 Mailbox 68 API calls 21288->21290 21289->21224 21291 2cd4005 21290->21291 21292 2cda682 Mailbox 60 API calls 21291->21292 21292->21289 21294 2cd40c1 21293->21294 21295 2cdb103 21293->21295 21294->21285 21296 2ce3b4c _Allocate 60 API calls 21295->21296 21297 2cdb113 std::exception::exception 21295->21297 21296->21297 21297->21294 21298 2ce455a __CxxThrowException@8 RaiseException 21297->21298 21299 2cdfb28 21298->21299 21300->21287 21302 2ce33db 21301->21302 21303 2ce33c7 21301->21303 21305 2ce8a6d __calloc_crt 59 API calls 21302->21305 21304 2ce5e5b __cftoa_l 59 API calls 21303->21304 21306 2ce33cc 21304->21306 21307 2ce33e8 21305->21307 21308 2ce4ef5 __cftoa_l 9 API calls 21306->21308 21309 2ce3439 21307->21309 21311 2ce5c5a __write_nolock 59 API calls 21307->21311 21314 2ce210b 21308->21314 21310 2ce2f74 _free 59 API calls 21309->21310 21312 2ce343f 21310->21312 21313 2ce33f5 21311->21313 21312->21314 21320 2ce5e3a 21312->21320 21315 2ce5ce1 __initptd 59 API calls 21313->21315 21314->21202 21314->21203 21314->21205 21317 2ce33fe CreateThread 21315->21317 21317->21314 21319 2ce3431 GetLastError 21317->21319 21328 2ce3519 21317->21328 21319->21309 21325 2ce5e27 21320->21325 21322 2ce5e43 __dosmaperr 21323 2ce5e5b __cftoa_l 59 API calls 21322->21323 21324 2ce5e56 21323->21324 21324->21314 21326 2ce5c72 __getptd_noexit 59 API calls 21325->21326 21327 2ce5e2c 21326->21327 21327->21322 21329 2ce3522 __threadstartex@4 21328->21329 21330 2ce91cb __CRT_INIT@12 TlsGetValue 21329->21330 21331 2ce3528 21330->21331 21332 2ce352f __threadstartex@4 21331->21332 21333 2ce355b 21331->21333 21336 2ce91ea __CRT_INIT@12 TlsSetValue 21332->21336 21334 2ce5aef __freefls@4 59 API calls 21333->21334 21335 2ce3576 ___crtIsPackagedApp 21334->21335 21340 2ce358a 21335->21340 21344 2ce34c1 21335->21344 21337 2ce353e 21336->21337 21338 2ce3544 GetLastError RtlExitUserThread 21337->21338 21339 2ce3551 GetCurrentThreadId 21337->21339 21338->21339 21339->21335 21350 2ce3452 21340->21350 21345 2ce34ca LoadLibraryExW GetProcAddress 21344->21345 21346 2ce3503 RtlDecodePointer 21344->21346 21347 2ce34ec 21345->21347 21348 2ce34ed RtlEncodePointer 21345->21348 21349 2ce3513 21346->21349 21347->21340 21348->21346 21349->21340 21351 2ce345e __close 21350->21351 21352 2ce5c5a __write_nolock 59 API calls 21351->21352 21353 2ce3463 21352->21353 21360 2ce2160 21353->21360 21380 2ce1610 21360->21380 21363 2ce21a8 TlsSetValue 21364 2ce21b0 21363->21364 21402 2cdddab 21364->21402 21406 2cddd78 21364->21406 21411 2cddc88 21364->21411 21394 2ce1674 21380->21394 21381 2ce16f0 21382 2ce1706 21381->21382 21384 2ce1703 CloseHandle 21381->21384 21385 2ce454b __call_reportfault 6 API calls 21382->21385 21383 2ce16ce ResetEvent 21386 2ce16d5 21383->21386 21384->21382 21390 2ce171e 21385->21390 21434 2ce1850 21386->21434 21387 2ce179c WaitForSingleObject 21387->21394 21388 2ce168c 21388->21383 21389 2ce16a5 OpenEventA 21388->21389 21430 2ce1c10 21388->21430 21392 2ce16bf 21389->21392 21393 2ce16c7 21389->21393 21390->21363 21390->21364 21392->21393 21396 2ce16c4 CloseHandle 21392->21396 21393->21383 21393->21386 21394->21381 21394->21387 21394->21388 21397 2ce1770 CreateEventA 21394->21397 21398 2ce1c10 GetCurrentProcessId 21394->21398 21401 2ce178e CloseHandle 21394->21401 21395 2ce16a2 21395->21389 21396->21393 21397->21394 21398->21394 21401->21394 21403 2cdddcd 21402->21403 21407 2cd7cf5 std::bad_exception::bad_exception 60 API calls 21406->21407 21787 2cdd3bb 21411->21787 21444 2ce0c70 21430->21444 21432 2ce1c62 GetCurrentProcessId 21433 2ce1c75 21432->21433 21433->21395 21435 2ce185f 21434->21435 21438 2ce1895 CreateEventA 21435->21438 21439 2ce1c10 GetCurrentProcessId 21435->21439 21441 2ce18b7 21435->21441 21436 2ce16ed 21436->21381 21437 2ce18c3 SetEvent 21437->21436 21438->21441 21441->21436 21441->21437 21444->21432 21803 2ce24d3 21800->21803 21804 2ce2599 std::exception::_Copy_str 59 API calls 21803->21804 21805 2cd182a 21804->21805 21805->21211 21812 2cdd701 21806->21812 21809 2cdcc54 21821 2cdd739 21809->21821 21815 2cdb225 21812->21815 21816 2cdb22f __EH_prolog 21815->21816 21817 2ce2513 std::exception::exception 59 API calls 21816->21817 21818 2cdb240 21817->21818 21819 2cd7cf5 std::bad_exception::bad_exception 60 API calls 21818->21819 21820 2cda6a1 21819->21820 21820->21809 21822 2cdd743 __EH_prolog 21821->21822 21825 2cdb61d 21822->21825 21826 2cdb627 __EH_prolog 21825->21826 21850 2cd353e 21829->21850 21833 2cd2ae8 WSASetLastError connect 21832->21833 21834 2cd2ad8 21832->21834 21836 2cda500 69 API calls 21833->21836 21835 2ce0b10 Mailbox 68 API calls 21834->21835 21837 2cd2add 21835->21837 21838 2cd2b07 21836->21838 21840 2ce0b10 Mailbox 68 API calls 21837->21840 21838->21837 21839 2ce0b10 Mailbox 68 API calls 21838->21839 21839->21837 21841 2cd2b1b 21840->21841 21843 2ce0b10 Mailbox 68 API calls 21841->21843 21844 2cd2b38 21841->21844 21843->21844 21849 2cd2b87 21844->21849 21906 2cd3027 21844->21906 21848 2ce0b10 Mailbox 68 API calls 21848->21849 21849->21033 21851 2cd3548 __EH_prolog 21850->21851 21852 2cd3557 21851->21852 21853 2cd3576 21851->21853 21855 2cd1996 68 API calls 21852->21855 21872 2cd2edd WSASetLastError WSASocketA 21853->21872 21871 2cd355f 21855->21871 21857 2cd35ad CreateIoCompletionPort 21858 2cd35db 21857->21858 21859 2cd35c5 GetLastError 21857->21859 21861 2ce0b10 Mailbox 68 API calls 21858->21861 21860 2ce0b10 Mailbox 68 API calls 21859->21860 21862 2cd35d2 21860->21862 21861->21862 21863 2cd35ef 21862->21863 21864 2cd3626 21862->21864 21865 2ce0b10 Mailbox 68 API calls 21863->21865 21867 2cddeea 60 API calls 21864->21867 21866 2cd3608 21865->21866 21880 2cd29ee 21866->21880 21869 2cd3659 21867->21869 21870 2ce0b10 Mailbox 68 API calls 21869->21870 21870->21871 21871->21030 21873 2ce0b10 Mailbox 68 API calls 21872->21873 21874 2cd2f0a WSAGetLastError 21873->21874 21875 2cd2f41 21874->21875 21876 2cd2f21 21874->21876 21875->21857 21875->21871 21877 2cd2f3c 21876->21877 21878 2cd2f27 setsockopt 21876->21878 21879 2ce0b10 Mailbox 68 API calls 21877->21879 21878->21877 21879->21875 21881 2cd2a0c 21880->21881 21882 2cd2aad 21880->21882 21884 2cd2a39 WSASetLastError closesocket 21881->21884 21887 2ce0b10 Mailbox 68 API calls 21881->21887 21883 2ce0b10 Mailbox 68 API calls 21882->21883 21885 2cd2ab8 21882->21885 21883->21885 21886 2cda500 69 API calls 21884->21886 21885->21871 21888 2cd2a51 21886->21888 21889 2cd2a21 21887->21889 21888->21882 21891 2ce0b10 Mailbox 68 API calls 21888->21891 21898 2cd2f50 21889->21898 21893 2cd2a5c 21891->21893 21894 2cd2a7b ioctlsocket WSASetLastError closesocket 21893->21894 21895 2ce0b10 Mailbox 68 API calls 21893->21895 21896 2cda500 69 API calls 21894->21896 21897 2cd2a6e 21895->21897 21896->21882 21897->21882 21897->21894 21899 2cd2f5b 21898->21899 21900 2cd2f70 WSASetLastError setsockopt 21898->21900 21902 2ce0b10 Mailbox 68 API calls 21899->21902 21901 2cda500 69 API calls 21900->21901 21903 2cd2f9e 21901->21903 21905 2cd2a36 21902->21905 21904 2ce0b10 Mailbox 68 API calls 21903->21904 21903->21905 21904->21905 21905->21884 21907 2cd304d WSASetLastError select 21906->21907 21908 2cd303b 21906->21908 21909 2cda500 69 API calls 21907->21909 21910 2ce0b10 Mailbox 68 API calls 21908->21910 21911 2cd3095 21909->21911 21913 2cd2b59 21910->21913 21912 2ce0b10 Mailbox 68 API calls 21911->21912 21911->21913 21912->21913 21913->21849 21914 2cd2fb4 21913->21914 21915 2cd2fd5 WSASetLastError getsockopt 21914->21915 21916 2cd2fc0 21914->21916 21918 2cda500 69 API calls 21915->21918 21917 2ce0b10 Mailbox 68 API calls 21916->21917 21921 2cd2b7a 21917->21921 21919 2cd300f 21918->21919 21920 2ce0b10 Mailbox 68 API calls 21919->21920 21919->21921 21920->21921 21921->21848 21921->21849 21929 2cf53f0 21922->21929 21924 2cd32b5 RtlEnterCriticalSection 21925 2ce0b10 Mailbox 68 API calls 21924->21925 21926 2cd32d6 21925->21926 21930 2cd3307 21926->21930 21929->21924 21932 2cd3311 __EH_prolog 21930->21932 21933 2cd3350 21932->21933 21942 2cd7e79 21932->21942 21946 2cd239d 21933->21946 21936 2ce0b10 Mailbox 68 API calls 21938 2cd337c 21936->21938 21940 2cd2d39 71 API calls 21938->21940 21941 2cd3390 21940->21941 21952 2cd7e22 21941->21952 21943 2cd7e87 21942->21943 21944 2cd7efd 21943->21944 21956 2cd89de 21943->21956 21944->21932 21949 2cd23ab 21946->21949 21947 2cd2417 21947->21936 21947->21941 21948 2cd23c1 PostQueuedCompletionStatus 21948->21949 21950 2cd23da RtlEnterCriticalSection 21948->21950 21949->21947 21949->21948 21951 2cd23f8 InterlockedExchange RtlLeaveCriticalSection 21949->21951 21950->21949 21951->21949 21954 2cd7e27 21952->21954 21953 2cd32ee RtlLeaveCriticalSection 21953->21049 21954->21953 21972 2cd1e7f 21954->21972 21957 2cd8a08 21956->21957 21958 2cd7e22 68 API calls 21957->21958 21959 2cd8a4e 21958->21959 21960 2cd8a75 21959->21960 21962 2cda26b 21959->21962 21960->21944 21963 2cda285 21962->21963 21964 2cda275 21962->21964 21963->21960 21964->21963 21967 2cdfb29 21964->21967 21968 2ce24d3 std::exception::exception 59 API calls 21967->21968 21969 2cdfb41 21968->21969 21970 2ce455a __CxxThrowException@8 RaiseException 21969->21970 21971 2cdfb56 21970->21971 21973 2ce0b10 Mailbox 68 API calls 21972->21973 21974 2cd1e90 21973->21974 21974->21954 21976 2ce227b _LocaleUpdate::_LocaleUpdate 59 API calls 21975->21976 21977 2ce2397 21976->21977 21978 2ce23a5 21977->21978 21984 2ce23bc 21977->21984 21979 2ce5e5b __cftoa_l 59 API calls 21978->21979 21980 2ce23aa 21979->21980 21981 2ce4ef5 __cftoa_l 9 API calls 21980->21981 21982 2ce23b5 ___ascii_stricmp 21981->21982 21982->21060 21983 2ce597a 66 API calls __tolower_l 21983->21984 21984->21982 21984->21983 21986 2ce288b 21985->21986 21987 2ce5e5b __cftoa_l 59 API calls 21986->21987 21990 2ce289b _strlen 21986->21990 21988 2ce2890 21987->21988 21989 2ce4ef5 __cftoa_l 9 API calls 21988->21989 21989->21990 21990->21066 21992 2cde001 __EH_prolog 21991->21992 21993 2ce3b4c _Allocate 60 API calls 21992->21993 21994 2cde018 21993->21994 21994->21077 21996 2cda709 GetProcessHeap HeapFree 21995->21996 21996->21085 21998 2ce227b _LocaleUpdate::_LocaleUpdate 59 API calls 21997->21998 21999 2ce60c5 21998->21999 22000 2ce5e5b __cftoa_l 59 API calls 21999->22000 22001 2ce60ca 22000->22001 22002 2ce6b9b 22001->22002 22011 2ce60ea __output_l __aulldvrm _strlen 22001->22011 22042 2ce9e31 22001->22042 22003 2ce5e5b __cftoa_l 59 API calls 22002->22003 22005 2ce6ba0 22003->22005 22007 2ce4ef5 __cftoa_l 9 API calls 22005->22007 22006 2ce6b75 22008 2ce454b __call_reportfault 6 API calls 22006->22008 22007->22006 22009 2ce2476 22008->22009 22009->21096 22021 2ce5f01 22009->22021 22011->22002 22011->22006 22012 2ce6bd0 79 API calls _write_multi_char 22011->22012 22013 2ce6753 RtlDecodePointer 22011->22013 22014 2ce2f74 _free 59 API calls 22011->22014 22015 2cefae4 61 API calls __cftof 22011->22015 22016 2ce8ab5 __malloc_crt 59 API calls 22011->22016 22017 2ce67b6 RtlDecodePointer 22011->22017 22018 2ce6c44 79 API calls _write_string 22011->22018 22019 2ce67db RtlDecodePointer 22011->22019 22020 2ce6c18 79 API calls _write_multi_char 22011->22020 22049 2cedd0e 22011->22049 22012->22011 22013->22011 22014->22011 22015->22011 22016->22011 22017->22011 22018->22011 22019->22011 22020->22011 22022 2ce9e31 __flsbuf 59 API calls 22021->22022 22023 2ce5f0f 22022->22023 22024 2ce5f1a 22023->22024 22025 2ce5f31 22023->22025 22027 2ce5e5b __cftoa_l 59 API calls 22024->22027 22026 2ce5f36 22025->22026 22032 2ce5f43 __flsbuf 22025->22032 22028 2ce5e5b __cftoa_l 59 API calls 22026->22028 22029 2ce5f1f 22027->22029 22028->22029 22029->21096 22030 2ce5fa7 22034 2ce5fc1 22030->22034 22036 2ce5fd8 22030->22036 22031 2ce6021 22033 2ce9e55 __write 79 API calls 22031->22033 22032->22029 22038 2ce5f92 22032->22038 22041 2ce5f9d 22032->22041 22052 2cef7a2 22032->22052 22033->22029 22064 2ce9e55 22034->22064 22036->22029 22092 2cef7f6 22036->22092 22038->22041 22061 2cef965 22038->22061 22041->22030 22041->22031 22043 2ce9e3b 22042->22043 22044 2ce9e50 22042->22044 22045 2ce5e5b __cftoa_l 59 API calls 22043->22045 22044->22011 22046 2ce9e40 22045->22046 22047 2ce4ef5 __cftoa_l 9 API calls 22046->22047 22048 2ce9e4b 22047->22048 22048->22011 22050 2ce227b _LocaleUpdate::_LocaleUpdate 59 API calls 22049->22050 22051 2cedd1f 22050->22051 22051->22011 22053 2cef7ad 22052->22053 22054 2cef7ba 22052->22054 22055 2ce5e5b __cftoa_l 59 API calls 22053->22055 22056 2cef7c6 22054->22056 22057 2ce5e5b __cftoa_l 59 API calls 22054->22057 22059 2cef7b2 22055->22059 22056->22038 22058 2cef7e7 22057->22058 22060 2ce4ef5 __cftoa_l 9 API calls 22058->22060 22059->22038 22060->22059 22062 2ce8ab5 __malloc_crt 59 API calls 22061->22062 22063 2cef97a 22062->22063 22063->22041 22065 2ce9e61 __close 22064->22065 22066 2ce9e6e 22065->22066 22067 2ce9e85 22065->22067 22069 2ce5e27 __free_osfhnd 59 API calls 22066->22069 22068 2ce9f24 22067->22068 22070 2ce9e99 22067->22070 22071 2ce5e27 __free_osfhnd 59 API calls 22068->22071 22072 2ce9e73 22069->22072 22074 2ce9eb7 22070->22074 22075 2ce9ec1 22070->22075 22078 2ce9ebc 22071->22078 22073 2ce5e5b __cftoa_l 59 API calls 22072->22073 22088 2ce9e7a __close 22073->22088 22076 2ce5e27 __free_osfhnd 59 API calls 22074->22076 22117 2cf0c87 22075->22117 22076->22078 22080 2ce5e5b __cftoa_l 59 API calls 22078->22080 22079 2ce9ec7 22081 2ce9eed 22079->22081 22082 2ce9eda 22079->22082 22083 2ce9f30 22080->22083 22086 2ce5e5b __cftoa_l 59 API calls 22081->22086 22126 2ce9f44 22082->22126 22085 2ce4ef5 __cftoa_l 9 API calls 22083->22085 22085->22088 22087 2ce9ef2 22086->22087 22090 2ce5e27 __free_osfhnd 59 API calls 22087->22090 22088->22029 22089 2ce9ee6 22185 2ce9f1c 22089->22185 22090->22089 22093 2cef802 __close 22092->22093 22094 2cef82b 22093->22094 22095 2cef813 22093->22095 22097 2cef8d0 22094->22097 22101 2cef860 22094->22101 22096 2ce5e27 __free_osfhnd 59 API calls 22095->22096 22098 2cef818 22096->22098 22099 2ce5e27 __free_osfhnd 59 API calls 22097->22099 22100 2ce5e5b __cftoa_l 59 API calls 22098->22100 22102 2cef8d5 22099->22102 22111 2cef820 __close 22100->22111 22103 2cf0c87 ___lock_fhandle 60 API calls 22101->22103 22104 2ce5e5b __cftoa_l 59 API calls 22102->22104 22105 2cef866 22103->22105 22106 2cef8dd 22104->22106 22107 2cef87c 22105->22107 22108 2cef894 22105->22108 22109 2ce4ef5 __cftoa_l 9 API calls 22106->22109 22110 2cef8f2 __lseeki64_nolock 61 API calls 22107->22110 22112 2ce5e5b __cftoa_l 59 API calls 22108->22112 22109->22111 22113 2cef88b 22110->22113 22111->22029 22114 2cef899 22112->22114 22218 2cef8c8 22113->22218 22115 2ce5e27 __free_osfhnd 59 API calls 22114->22115 22115->22113 22118 2cf0c93 __close 22117->22118 22119 2cf0ce2 RtlEnterCriticalSection 22118->22119 22120 2ce88ee __lock 59 API calls 22118->22120 22121 2cf0d08 __close 22119->22121 22122 2cf0cb8 22120->22122 22121->22079 22123 2ce920c __mtinitlocks InitializeCriticalSectionAndSpinCount 22122->22123 22125 2cf0cd0 22122->22125 22123->22125 22188 2cf0d0c 22125->22188 22127 2ce9f51 __write_nolock 22126->22127 22128 2ce9f85 22127->22128 22129 2ce9faf 22127->22129 22130 2ce9f90 22127->22130 22131 2ce454b __call_reportfault 6 API calls 22128->22131 22135 2cea007 22129->22135 22136 2ce9feb 22129->22136 22132 2ce5e27 __free_osfhnd 59 API calls 22130->22132 22133 2cea7a5 22131->22133 22134 2ce9f95 22132->22134 22133->22089 22137 2ce5e5b __cftoa_l 59 API calls 22134->22137 22138 2cea020 22135->22138 22192 2cef8f2 22135->22192 22139 2ce5e27 __free_osfhnd 59 API calls 22136->22139 22141 2ce9f9c 22137->22141 22143 2cef7a2 __flsbuf 59 API calls 22138->22143 22140 2ce9ff0 22139->22140 22144 2ce5e5b __cftoa_l 59 API calls 22140->22144 22145 2ce4ef5 __cftoa_l 9 API calls 22141->22145 22146 2cea02e 22143->22146 22147 2ce9ff7 22144->22147 22145->22128 22148 2cea387 22146->22148 22154 2ce5c5a __write_nolock 59 API calls 22146->22154 22151 2ce4ef5 __cftoa_l 9 API calls 22147->22151 22149 2cea71a WriteFile 22148->22149 22150 2cea3a5 22148->22150 22152 2cea37a GetLastError 22149->22152 22159 2cea347 22149->22159 22153 2cea4c9 22150->22153 22157 2cea3bb 22150->22157 22151->22128 22152->22159 22167 2cea4d4 22153->22167 22179 2cea5be 22153->22179 22155 2cea05a GetConsoleMode 22154->22155 22155->22148 22156 2cea099 22155->22156 22156->22148 22160 2cea0a9 GetConsoleCP 22156->22160 22158 2cea753 22157->22158 22157->22159 22161 2cea42a WriteFile 22157->22161 22158->22128 22162 2ce5e5b __cftoa_l 59 API calls 22158->22162 22159->22128 22159->22158 22164 2cea4a7 22159->22164 22160->22158 22181 2cea0d8 22160->22181 22161->22152 22161->22157 22169 2cea74a 22164->22169 22170 2cea4b2 22164->22170 22165 2cea633 WideCharToMultiByte 22165->22152 22165->22179 22166 2cea539 WriteFile 22166->22152 22166->22167 22167->22158 22167->22159 22167->22166 22174 2cea682 WriteFile 22174->22179 22179->22158 22179->22159 22179->22165 22179->22174 22181->22152 22181->22159 22217 2cf102d RtlLeaveCriticalSection 22185->22217 22187 2ce9f22 22187->22088 22191 2ce8a58 RtlLeaveCriticalSection 22188->22191 22190 2cf0d13 22190->22119 22191->22190 22204 2cf0f44 22192->22204 22194 2cef902 22195 2cef90a 22194->22195 22196 2cef91b SetFilePointerEx 22194->22196 22197 2ce5e5b __cftoa_l 59 API calls 22195->22197 22198 2cef933 GetLastError 22196->22198 22199 2cef90f 22196->22199 22197->22199 22200 2ce5e3a __dosmaperr 59 API calls 22198->22200 22199->22138 22200->22199 22205 2cf0f4f 22204->22205 22206 2cf0f64 22204->22206 22207 2ce5e27 __free_osfhnd 59 API calls 22205->22207 22209 2ce5e27 __free_osfhnd 59 API calls 22206->22209 22212 2cf0f89 22206->22212 22208 2cf0f54 22207->22208 22211 2ce5e5b __cftoa_l 59 API calls 22208->22211 22210 2cf0f93 22209->22210 22213 2ce5e5b __cftoa_l 59 API calls 22210->22213 22214 2cf0f5c 22211->22214 22212->22194 22215 2cf0f9b 22213->22215 22214->22194 22216 2ce4ef5 __cftoa_l 9 API calls 22215->22216 22216->22214 22217->22187 22221 2cf102d RtlLeaveCriticalSection 22218->22221 22220 2cef8ce 22220->22111 22221->22220 22222->21099 22224 2cde331 __EH_prolog 22223->22224 22225 2ce3b4c _Allocate 60 API calls 22224->22225 22226 2cde33a 22225->22226 22227 2cd1bfa RtlEnterCriticalSection 22226->22227 22229 2cde548 22226->22229 22227->21104 22230 2cde552 __EH_prolog 22229->22230 22233 2cd26db RtlEnterCriticalSection 22230->22233 22232 2cde5a8 22232->22227 22234 2cd277e 22233->22234 22235 2cd2728 CreateWaitableTimerA 22233->22235 22236 2cd27d5 RtlLeaveCriticalSection 22234->22236 22239 2ce3b4c _Allocate 60 API calls 22234->22239 22237 2cd2738 GetLastError 22235->22237 22238 2cd275b SetWaitableTimer 22235->22238 22236->22232 22240 2ce0b10 Mailbox 68 API calls 22237->22240 22238->22234 22241 2cd278a 22239->22241 22242 2cd2745 22240->22242 22244 2ce3b4c _Allocate 60 API calls 22241->22244 22248 2cd27c8 22241->22248 22243 2cd1712 60 API calls 22242->22243 22243->22238 22245 2cd27a9 22244->22245 22249 2cd1cf8 CreateEventA 22245->22249 22277 2cd7dfa 22248->22277 22250 2cd1d23 GetLastError 22249->22250 22251 2cd1d52 CreateEventA 22249->22251 22253 2cd1d33 22250->22253 22252 2cd1d6b GetLastError 22251->22252 22271 2cd1d96 22251->22271 22256 2cd1d7b 22252->22256 22255 2ce0b10 Mailbox 68 API calls 22253->22255 22254 2ce33b9 __beginthreadex 275 API calls 22257 2cd1db6 22254->22257 22260 2cd1d3c 22255->22260 22261 2ce0b10 Mailbox 68 API calls 22256->22261 22258 2cd1e0d 22257->22258 22259 2cd1dc6 GetLastError 22257->22259 22264 2cd1e1d 22258->22264 22265 2cd1e11 WaitForSingleObject CloseHandle 22258->22265 22266 2cd1dd8 22259->22266 22262 2cd1712 60 API calls 22260->22262 22263 2cd1d84 22261->22263 22267 2cd1d4e 22262->22267 22268 2cd1712 60 API calls 22263->22268 22264->22248 22265->22264 22269 2cd1ddc CloseHandle 22266->22269 22270 2cd1ddf 22266->22270 22267->22251 22268->22271 22269->22270 22272 2cd1dee 22270->22272 22273 2cd1de9 CloseHandle 22270->22273 22271->22254 22274 2ce0b10 Mailbox 68 API calls 22272->22274 22273->22272 22275 2cd1dfb 22274->22275 22276 2cd1712 60 API calls 22275->22276 22276->22258 22278 2cd7e16 22277->22278 22279 2cd7e07 CloseHandle 22277->22279 22278->22236 22279->22278 22291 2cd30ae WSASetLastError 22280->22291 22283 2cd30ae 71 API calls 22284 2cd3c90 22283->22284 22285 2cd16ae 22284->22285 22286 2cd16b8 __EH_prolog 22285->22286 22287 2cd1701 22286->22287 22288 2ce24d3 std::exception::exception 59 API calls 22286->22288 22287->20959 22289 2cd16dc 22288->22289 22307 2cda499 22289->22307 22292 2cd30ec WSAStringToAddressA 22291->22292 22293 2cd30ce 22291->22293 22295 2cda500 69 API calls 22292->22295 22293->22292 22294 2cd30d3 22293->22294 22296 2ce0b10 Mailbox 68 API calls 22294->22296 22297 2cd3114 22295->22297 22303 2cd30d8 22296->22303 22298 2cd311e _memcmp 22297->22298 22299 2cd3154 22297->22299 22302 2ce0b10 Mailbox 68 API calls 22298->22302 22305 2cd3135 22298->22305 22304 2ce0b10 Mailbox 68 API calls 22299->22304 22299->22305 22300 2cd3193 22300->22303 22306 2ce0b10 Mailbox 68 API calls 22300->22306 22301 2ce0b10 Mailbox 68 API calls 22301->22300 22302->22305 22303->22283 22303->22284 22304->22305 22305->22300 22305->22301 22306->22303 22308 2cda4a3 __EH_prolog 22307->22308 22315 2cdc9fe 22308->22315 22312 2cda4c4 22313 2ce455a __CxxThrowException@8 RaiseException 22312->22313 22314 2cda4d2 22313->22314 22316 2cdb225 std::bad_exception::bad_exception 60 API calls 22315->22316 22317 2cda4b6 22316->22317 22318 2cdca3a 22317->22318 22319 2cdca44 __EH_prolog 22318->22319 22322 2cdb1d4 22319->22322 22321 2cdca73 Mailbox 22321->22312 22323 2cdb1de __EH_prolog 22322->22323 22324 2cdb225 std::bad_exception::bad_exception 60 API calls 22323->22324 22325 2cdb1ef Mailbox 22324->22325 22325->22321 22327 2cd3c20 __EH_prolog 22326->22327 22328 2cd3c41 22327->22328 22329 2ce24b7 std::bad_exception::bad_exception 59 API calls 22327->22329 22328->21119 22330 2cd3c35 22329->22330 22331 2cda64e 60 API calls 22330->22331 22331->22328 22333 2cd3755 InterlockedCompareExchange 22332->22333 22334 2cd3770 22332->22334 22333->22334 22335 2cd3765 22333->22335 22336 2ce0b10 Mailbox 68 API calls 22334->22336 22337 2cd32ab 78 API calls 22335->22337 22338 2cd3779 22336->22338 22337->22334 22339 2cd29ee 76 API calls 22338->22339 22340 2cd378e 22339->22340 22340->21123 22370 2ce36ad 22341->22370 22343 2cd53c8 22343->21136 22344 2ce3906 22343->22344 22345 2ce3912 __close 22344->22345 22346 2ce3948 22345->22346 22347 2ce3930 22345->22347 22348 2ce3940 __close 22345->22348 22512 2ce97f2 22346->22512 22350 2ce5e5b __cftoa_l 59 API calls 22347->22350 22348->21134 22352 2ce3935 22350->22352 22354 2ce4ef5 __cftoa_l 9 API calls 22352->22354 22354->22348 22358 2ce3a90 __close 22357->22358 22359 2ce3abc 22358->22359 22360 2ce3aa4 22358->22360 22362 2ce3ab4 __close 22359->22362 22363 2ce97f2 __lock_file 60 API calls 22359->22363 22361 2ce5e5b __cftoa_l 59 API calls 22360->22361 22364 2ce3aa9 22361->22364 22362->21136 22365 2ce3ace 22363->22365 22366 2ce4ef5 __cftoa_l 9 API calls 22364->22366 22539 2ce3a18 22365->22539 22366->22362 22372 2ce36b9 __close 22370->22372 22371 2ce36cb 22373 2ce5e5b __cftoa_l 59 API calls 22371->22373 22372->22371 22374 2ce36f8 22372->22374 22375 2ce36d0 22373->22375 22389 2ce98c8 22374->22389 22377 2ce4ef5 __cftoa_l 9 API calls 22375->22377 22387 2ce36db __close @_EH4_CallFilterFunc@8 22377->22387 22378 2ce36fd 22379 2ce3706 22378->22379 22380 2ce3713 22378->22380 22381 2ce5e5b __cftoa_l 59 API calls 22379->22381 22382 2ce373c 22380->22382 22383 2ce371c 22380->22383 22381->22387 22404 2ce99e7 22382->22404 22385 2ce5e5b __cftoa_l 59 API calls 22383->22385 22385->22387 22387->22343 22390 2ce98d4 __close 22389->22390 22391 2ce88ee __lock 59 API calls 22390->22391 22402 2ce98e2 22391->22402 22392 2ce9956 22434 2ce99de 22392->22434 22393 2ce995d 22394 2ce8ab5 __malloc_crt 59 API calls 22393->22394 22396 2ce9964 22394->22396 22396->22392 22398 2ce920c __mtinitlocks InitializeCriticalSectionAndSpinCount 22396->22398 22397 2ce99d3 __close 22397->22378 22401 2ce998a RtlEnterCriticalSection 22398->22401 22399 2ce8976 __mtinitlocknum 59 API calls 22399->22402 22401->22392 22402->22392 22402->22393 22402->22399 22424 2ce9831 22402->22424 22429 2ce989b 22402->22429 22405 2ce9a04 22404->22405 22406 2ce9a18 22405->22406 22420 2ce9bbf 22405->22420 22439 2cf084e 22405->22439 22407 2ce5e5b __cftoa_l 59 API calls 22406->22407 22408 2ce9a1d 22407->22408 22409 2ce4ef5 __cftoa_l 9 API calls 22408->22409 22411 2ce3747 22409->22411 22410 2ce9c1b 22445 2cf0830 22410->22445 22421 2ce3769 22411->22421 22417 2cf097d __openfile 59 API calls 22418 2ce9bd7 22417->22418 22419 2cf097d __openfile 59 API calls 22418->22419 22418->22420 22419->22420 22420->22406 22420->22410 22505 2ce9861 22421->22505 22423 2ce376f 22423->22387 22425 2ce983c 22424->22425 22426 2ce9852 RtlEnterCriticalSection 22424->22426 22427 2ce88ee __lock 59 API calls 22425->22427 22426->22402 22428 2ce9845 22427->22428 22428->22402 22430 2ce98bc RtlLeaveCriticalSection 22429->22430 22431 2ce98a9 22429->22431 22430->22402 22437 2ce8a58 RtlLeaveCriticalSection 22431->22437 22433 2ce98b9 22433->22402 22438 2ce8a58 RtlLeaveCriticalSection 22434->22438 22436 2ce99e5 22436->22397 22437->22433 22438->22436 22448 2cf0866 22439->22448 22441 2ce9b85 22441->22406 22442 2cf097d 22441->22442 22456 2cf0995 22442->22456 22444 2ce9bb8 22444->22417 22444->22420 22463 2cf0719 22445->22463 22447 2cf0849 22447->22411 22449 2cf087b 22448->22449 22452 2cf0874 22448->22452 22450 2ce227b _LocaleUpdate::_LocaleUpdate 59 API calls 22449->22450 22451 2cf0888 22450->22451 22451->22452 22453 2ce5e5b __cftoa_l 59 API calls 22451->22453 22452->22441 22454 2cf08bb 22453->22454 22455 2ce4ef5 __cftoa_l 9 API calls 22454->22455 22455->22452 22457 2ce227b _LocaleUpdate::_LocaleUpdate 59 API calls 22456->22457 22458 2cf09a8 22457->22458 22459 2ce5e5b __cftoa_l 59 API calls 22458->22459 22462 2cf09bd 22458->22462 22460 2cf09e9 22459->22460 22461 2ce4ef5 __cftoa_l 9 API calls 22460->22461 22461->22462 22462->22444 22466 2cf0725 __close 22463->22466 22464 2cf073b 22465 2ce5e5b __cftoa_l 59 API calls 22464->22465 22467 2cf0740 22465->22467 22466->22464 22468 2cf0771 22466->22468 22469 2ce4ef5 __cftoa_l 9 API calls 22467->22469 22474 2cf07e2 22468->22474 22473 2cf074a __close 22469->22473 22473->22447 22483 2ce8237 22474->22483 22476 2cf078d 22479 2cf07b6 22476->22479 22477 2cf07f6 22477->22476 22478 2ce2f74 _free 59 API calls 22477->22478 22478->22476 22480 2cf07bc 22479->22480 22482 2cf07e0 22479->22482 22504 2cf102d RtlLeaveCriticalSection 22480->22504 22482->22473 22484 2ce825a 22483->22484 22485 2ce8244 22483->22485 22484->22485 22487 2ce8261 ___crtIsPackagedApp 22484->22487 22486 2ce5e5b __cftoa_l 59 API calls 22485->22486 22488 2ce8249 22486->22488 22490 2ce826a AreFileApisANSI 22487->22490 22491 2ce8277 MultiByteToWideChar 22487->22491 22489 2ce4ef5 __cftoa_l 9 API calls 22488->22489 22498 2ce8253 22489->22498 22490->22491 22492 2ce8274 22490->22492 22493 2ce82a2 22491->22493 22494 2ce8291 GetLastError 22491->22494 22492->22491 22495 2ce8ab5 __malloc_crt 59 API calls 22493->22495 22496 2ce5e3a __dosmaperr 59 API calls 22494->22496 22497 2ce82aa 22495->22497 22496->22498 22497->22498 22499 2ce82b1 MultiByteToWideChar 22497->22499 22498->22477 22499->22498 22500 2ce82c7 GetLastError 22499->22500 22501 2ce5e3a __dosmaperr 59 API calls 22500->22501 22502 2ce82d3 22501->22502 22503 2ce2f74 _free 59 API calls 22502->22503 22503->22498 22504->22482 22506 2ce988f RtlLeaveCriticalSection 22505->22506 22507 2ce9870 22505->22507 22506->22423 22507->22506 22508 2ce9877 22507->22508 22511 2ce8a58 RtlLeaveCriticalSection 22508->22511 22510 2ce988c 22510->22423 22511->22510 22513 2ce9824 RtlEnterCriticalSection 22512->22513 22514 2ce9802 22512->22514 22516 2ce394e 22513->22516 22514->22513 22515 2ce980a 22514->22515 22517 2ce88ee __lock 59 API calls 22515->22517 22518 2ce37ad 22516->22518 22517->22516 22520 2ce37bc 22518->22520 22527 2ce37da 22518->22527 22519 2ce37ca 22521 2ce5e5b __cftoa_l 59 API calls 22519->22521 22520->22519 22522 2ce37f4 _memmove 22520->22522 22520->22527 22523 2ce37cf 22521->22523 22525 2ce5f01 __flsbuf 79 API calls 22522->22525 22522->22527 22528 2ce9e31 __flsbuf 59 API calls 22522->22528 22529 2ce9e55 __write 79 API calls 22522->22529 22533 2cea7ef 22522->22533 22524 2ce4ef5 __cftoa_l 9 API calls 22523->22524 22524->22527 22525->22522 22530 2ce3980 22527->22530 22528->22522 22529->22522 22531 2ce9861 __fsopen 2 API calls 22530->22531 22532 2ce3986 22531->22532 22532->22348 22534 2cea826 22533->22534 22535 2cea802 22533->22535 22534->22522 22535->22534 22536 2ce9e31 __flsbuf 59 API calls 22535->22536 22537 2cea81f 22536->22537 22538 2ce9e55 __write 79 API calls 22537->22538 22538->22534 22540 2ce3a3b 22539->22540 22541 2ce3a27 22539->22541 22544 2cea7ef __flush 79 API calls 22540->22544 22553 2ce3a37 22540->22553 22542 2ce5e5b __cftoa_l 59 API calls 22541->22542 22543 2ce3a2c 22542->22543 22546 2ce4ef5 __cftoa_l 9 API calls 22543->22546 22545 2ce3a47 22544->22545 22558 2ceb29b 22545->22558 22546->22553 22549 2ce9e31 __flsbuf 59 API calls 22550 2ce3a55 22549->22550 22562 2ceb126 22550->22562 22552 2ce3a5b 22552->22553 22554 2ce2f74 _free 59 API calls 22552->22554 22555 2ce3af3 22553->22555 22554->22553 22556 2ce9861 __fsopen 2 API calls 22555->22556 22557 2ce3af9 22556->22557 22557->22362 22559 2ce3a4f 22558->22559 22560 2ceb2a8 22558->22560 22559->22549 22560->22559 22561 2ce2f74 _free 59 API calls 22560->22561 22561->22559 22563 2ceb132 __close 22562->22563 22564 2ceb13f 22563->22564 22565 2ceb156 22563->22565 22567 2ce5e27 __free_osfhnd 59 API calls 22564->22567 22566 2ceb1e1 22565->22566 22568 2ceb166 22565->22568 22569 2ce5e27 __free_osfhnd 59 API calls 22566->22569 22570 2ceb144 22567->22570 22571 2ceb18e 22568->22571 22572 2ceb184 22568->22572 22573 2ceb189 22569->22573 22574 2ce5e5b __cftoa_l 59 API calls 22570->22574 22576 2cf0c87 ___lock_fhandle 60 API calls 22571->22576 22575 2ce5e27 __free_osfhnd 59 API calls 22572->22575 22577 2ce5e5b __cftoa_l 59 API calls 22573->22577 22584 2ceb14b __close 22574->22584 22575->22573 22578 2ceb194 22576->22578 22579 2ceb1ed 22577->22579 22580 2ceb1a7 22578->22580 22581 2ceb1b2 22578->22581 22582 2ce4ef5 __cftoa_l 9 API calls 22579->22582 22588 2ceb201 22580->22588 22585 2ce5e5b __cftoa_l 59 API calls 22581->22585 22582->22584 22584->22552 22586 2ceb1ad 22585->22586 22603 2ceb1d9 22586->22603 22589 2cf0f44 __commit 59 API calls 22588->22589 22592 2ceb20f 22589->22592 22590 2ceb265 22606 2cf0ebe 22590->22606 22592->22590 22593 2ceb243 22592->22593 22595 2cf0f44 __commit 59 API calls 22592->22595 22593->22590 22596 2cf0f44 __commit 59 API calls 22593->22596 22598 2ceb23a 22595->22598 22615 2cf102d RtlLeaveCriticalSection 22603->22615 22605 2ceb1df 22605->22584 22615->22605 22616 402226 22617 4022a5 OpenSCManagerA 22616->22617 22618 40da23 22617->22618 22619 40da6a CreateDirectoryA 22620 402eb0 GetVersion 22644 403ff4 HeapCreate 22620->22644 22622 402f0f 22623 402f14 22622->22623 22624 402f1c 22622->22624 22719 402fcb 22623->22719 22656 403cd4 22624->22656 22628 402f24 GetCommandLineA 22670 403ba2 22628->22670 22632 402f3e 22702 40389c 22632->22702 22634 402f43 22635 402f48 GetStartupInfoA 22634->22635 22715 403844 22635->22715 22637 402f5a GetModuleHandleA 22639 402f7e 22637->22639 22725 4035eb 22639->22725 22645 404014 22644->22645 22646 40404a 22644->22646 22732 403eac 22645->22732 22646->22622 22649 404030 22652 40404d 22649->22652 22654 404c1c 5 API calls 22649->22654 22650 404023 22744 4043cb HeapAlloc 22650->22744 22652->22622 22653 40402d 22653->22652 22655 40403e HeapDestroy 22653->22655 22654->22653 22655->22646 22800 402fef 22656->22800 22659 403cf3 GetStartupInfoA 22667 403e04 22659->22667 22669 403d3f 22659->22669 22662 403e6b SetHandleCount 22662->22628 22663 403e2b GetStdHandle 22665 403e39 GetFileType 22663->22665 22663->22667 22664 402fef 12 API calls 22664->22669 22665->22667 22666 403db0 22666->22667 22668 403dd2 GetFileType 22666->22668 22667->22662 22667->22663 22668->22666 22669->22664 22669->22666 22669->22667 22671 403bf0 22670->22671 22672 403bbd GetEnvironmentStringsW 22670->22672 22673 403bc5 22671->22673 22674 403be1 22671->22674 22672->22673 22675 403bd1 GetEnvironmentStrings 22672->22675 22677 403c09 WideCharToMultiByte 22673->22677 22678 403bfd GetEnvironmentStringsW 22673->22678 22676 402f34 22674->22676 22679 403c83 GetEnvironmentStrings 22674->22679 22680 403c8f 22674->22680 22675->22674 22675->22676 22693 403955 22676->22693 22682 403c3d 22677->22682 22683 403c6f FreeEnvironmentStringsW 22677->22683 22678->22676 22678->22677 22679->22676 22679->22680 22684 402fef 12 API calls 22680->22684 22685 402fef 12 API calls 22682->22685 22683->22676 22691 403caa 22684->22691 22686 403c43 22685->22686 22686->22683 22687 403c4c WideCharToMultiByte 22686->22687 22689 403c66 22687->22689 22690 403c5d 22687->22690 22688 403cc0 FreeEnvironmentStringsA 22688->22676 22689->22683 22692 4030a1 7 API calls 22690->22692 22691->22688 22692->22689 22694 403967 22693->22694 22695 40396c GetModuleFileNameA 22693->22695 22829 4061b4 22694->22829 22696 40398f 22695->22696 22698 402fef 12 API calls 22696->22698 22699 4039b0 22698->22699 22700 4039c0 22699->22700 22701 402fa6 7 API calls 22699->22701 22700->22632 22701->22700 22703 4038a9 22702->22703 22705 4038ae 22702->22705 22704 4061b4 19 API calls 22703->22704 22704->22705 22706 402fef 12 API calls 22705->22706 22707 4038db 22706->22707 22709 402fa6 7 API calls 22707->22709 22714 4038ef 22707->22714 22708 403932 22710 4030a1 7 API calls 22708->22710 22709->22714 22711 40393e 22710->22711 22711->22634 22712 402fef 12 API calls 22712->22714 22713 402fa6 7 API calls 22713->22714 22714->22708 22714->22712 22714->22713 22716 40384d 22715->22716 22718 403852 22715->22718 22717 4061b4 19 API calls 22716->22717 22717->22718 22718->22637 22720 402fd4 22719->22720 22721 402fd9 22719->22721 22722 404224 7 API calls 22720->22722 22723 40425d 7 API calls 22721->22723 22722->22721 22724 402fe2 ExitProcess 22723->22724 22853 40360d 22725->22853 22728 4036c0 22729 4036cc 22728->22729 22730 4037f5 UnhandledExceptionFilter 22729->22730 22731 402f98 22729->22731 22730->22731 22746 402d40 22732->22746 22735 403ed5 22736 403eef GetEnvironmentVariableA 22735->22736 22738 403ee7 22735->22738 22737 403fcc 22736->22737 22740 403f0e 22736->22740 22737->22738 22751 403e7f GetModuleHandleA 22737->22751 22738->22649 22738->22650 22741 403f53 GetModuleFileNameA 22740->22741 22742 403f4b 22740->22742 22741->22742 22742->22737 22748 4061d0 22742->22748 22745 4043e7 22744->22745 22745->22653 22747 402d4c GetVersionExA 22746->22747 22747->22735 22747->22736 22753 4061e7 22748->22753 22752 403e96 22751->22752 22752->22738 22755 4061ff 22753->22755 22758 40622f 22755->22758 22760 4053a6 22755->22760 22756 4061e3 22756->22737 22757 4053a6 6 API calls 22757->22758 22758->22756 22758->22757 22764 4073ab 22758->22764 22761 4053b8 22760->22761 22762 4053c4 22760->22762 22761->22755 22770 40670e 22762->22770 22765 4073d6 22764->22765 22767 4073b9 22764->22767 22766 4073f2 22765->22766 22768 4053a6 6 API calls 22765->22768 22766->22767 22782 406857 22766->22782 22767->22758 22768->22766 22771 40673f GetStringTypeW 22770->22771 22773 406757 22770->22773 22771->22773 22774 40675b GetStringTypeA 22771->22774 22772 4067a6 22777 406843 22772->22777 22778 4067bc MultiByteToWideChar 22772->22778 22773->22772 22775 406782 GetStringTypeA 22773->22775 22774->22773 22774->22777 22775->22777 22777->22761 22778->22777 22779 4067e0 22778->22779 22779->22777 22780 40681a MultiByteToWideChar 22779->22780 22780->22777 22781 406833 GetStringTypeW 22780->22781 22781->22777 22783 406887 LCMapStringW 22782->22783 22784 4068a3 22782->22784 22783->22784 22785 4068ab LCMapStringA 22783->22785 22786 406909 22784->22786 22787 4068ec LCMapStringA 22784->22787 22785->22784 22788 4069e5 22785->22788 22786->22788 22789 40691f MultiByteToWideChar 22786->22789 22787->22788 22788->22767 22789->22788 22790 406949 22789->22790 22790->22788 22791 40697f MultiByteToWideChar 22790->22791 22791->22788 22792 406998 LCMapStringW 22791->22792 22792->22788 22793 4069b3 22792->22793 22794 4069b9 22793->22794 22796 4069f9 22793->22796 22794->22788 22795 4069c7 LCMapStringW 22794->22795 22795->22788 22796->22788 22797 406a31 LCMapStringW 22796->22797 22797->22788 22798 406a49 WideCharToMultiByte 22797->22798 22798->22788 22801 403001 12 API calls 22800->22801 22802 402ffe 22801->22802 22802->22659 22803 402fa6 22802->22803 22804 402fb4 22803->22804 22805 402faf 22803->22805 22815 40425d 22804->22815 22809 404224 22805->22809 22810 40422e 22809->22810 22811 40425b 22810->22811 22812 40425d 7 API calls 22810->22812 22811->22804 22813 404245 22812->22813 22814 40425d 7 API calls 22813->22814 22814->22811 22817 404270 22815->22817 22816 404387 22820 40439a GetStdHandle WriteFile 22816->22820 22817->22816 22818 4042b0 22817->22818 22823 402fbd 22817->22823 22819 4042bc GetModuleFileNameA 22818->22819 22818->22823 22821 4042d4 22819->22821 22820->22823 22824 406578 22821->22824 22823->22659 22825 406585 LoadLibraryA 22824->22825 22827 4065c7 22824->22827 22826 406596 GetProcAddress 22825->22826 22825->22827 22826->22827 22828 4065ad GetProcAddress GetProcAddress 22826->22828 22827->22823 22828->22827 22830 4061bd 22829->22830 22831 4061c4 22829->22831 22833 405df0 22830->22833 22831->22695 22840 405f89 22833->22840 22835 405f7d 22835->22831 22838 405e33 GetCPInfo 22839 405e47 22838->22839 22839->22835 22845 40602f GetCPInfo 22839->22845 22841 405fa9 22840->22841 22842 405f99 GetOEMCP 22840->22842 22843 405e01 22841->22843 22844 405fae GetACP 22841->22844 22842->22841 22843->22835 22843->22838 22843->22839 22844->22843 22846 406052 22845->22846 22852 40611a 22845->22852 22847 40670e 6 API calls 22846->22847 22848 4060ce 22847->22848 22849 406857 9 API calls 22848->22849 22850 4060f2 22849->22850 22851 406857 9 API calls 22850->22851 22851->22852 22852->22835 22854 403619 GetCurrentProcess TerminateProcess 22853->22854 22855 40362a 22853->22855 22854->22855 22856 402f87 22855->22856 22857 403694 ExitProcess 22855->22857 22856->22728 22858 4026b3 22859 4026b9 22858->22859 22860 40da93 Sleep 22859->22860 22861 40daa0 22860->22861 22861->22861 22862 2d60de5 22863 2d6679d CloseHandle 22862->22863 22864 2d71287 22863->22864 22865 2cd1139 22870 2cdcd9b 22865->22870 22867 2cd1143 22868 2ce33a4 __cinit 68 API calls 22867->22868 22869 2cd114f 22868->22869 22871 2cdcda5 __EH_prolog 22870->22871 22884 2cdd35e 22871->22884 22875 2cdcdc8 22876 2ce3b4c _Allocate 60 API calls 22875->22876 22881 2cdce53 22875->22881 22877 2cdce02 22876->22877 22878 2cdce1b 22877->22878 22880 2cdd3bb 59 API calls 22877->22880 22891 2cddfa6 22878->22891 22880->22878 22881->22867 22882 2cdce2a shared_ptr 22883 2ce33a4 __cinit 68 API calls 22882->22883 22883->22881 22885 2ce24d3 std::exception::exception 59 API calls 22884->22885 22886 2cdcdb7 22885->22886 22887 2cddb74 22886->22887 22888 2cddb7e __EH_prolog 22887->22888 22889 2cdd50b 59 API calls 22888->22889 22890 2cddbb3 Mailbox 22889->22890 22890->22875 22892 2cddfb0 __EH_prolog 22891->22892 22895 2cde8ae 22892->22895 22894 2cddfe1 22894->22882 22898 2cded88 22895->22898 22897 2cde8be shared_ptr 22897->22894 22899 2cded92 __EH_prolog 22898->22899 22900 2ce3b4c _Allocate 60 API calls 22899->22900 22901 2cdeda9 22900->22901 22901->22897 22902 4025b7 RegCloseKey 22903 4025bd 22902->22903 22904 4022bd 22905 40d535 VirtualAlloc 22904->22905 22906 40217d RegOpenKeyExA 22907 40218b 22906->22907

                                                                                  Executed Functions

                                                                                  Function 02CD72AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 2cd72ab-2cd72c3 InternetOpenA 1 2cd7389-2cd738f 0->1 2 2cd72c9-2cd731d InternetSetOptionA * 3 call 2ce4af0 0->2 4 2cd73ab-2cd73b9 1->4 5 2cd7391-2cd7397 1->5 6 2cd7322-2cd7340 InternetOpenUrlA 2->6 9 2cd73bf-2cd73e3 call 2ce4af0 call 2cd439c 4->9 10 2cd66f4-2cd66f6 4->10 7 2cd739d-2cd73aa call 2cd53ec 5->7 8 2cd7399-2cd739b 5->8 11 2cd7382-2cd7383 InternetCloseHandle 6->11 12 2cd7342 6->12 7->4 8->4 9->10 31 2cd73e9-2cd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce233c 9->31 13 2cd66ff-2cd6701 10->13 14 2cd66f8-2cd66fd 10->14 11->1 18 2cd7346-2cd736c InternetReadFile 12->18 20 2cd670e-2cd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 13->20 21 2cd6703 13->21 19 2cd6708 Sleep 14->19 24 2cd736e-2cd7375 18->24 25 2cd7377-2cd737e InternetCloseHandle 18->25 19->20 26 2cd6744-2cd6750 20->26 27 2cd6792 20->27 21->19 24->18 25->11 26->27 30 2cd6752-2cd675f 26->30 28 2cd6796 27->28 28->0 32 2cd6767-2cd6768 30->32 33 2cd6761-2cd6765 30->33 38 2cd746d-2cd7488 call 2ce233c 31->38 39 2cd7419-2cd742b call 2ce233c 31->39 35 2cd676c-2cd6790 call 2ce4af0 * 2 32->35 33->35 35->28 47 2cd748e-2cd7490 38->47 48 2cd7742-2cd7754 call 2ce233c 38->48 39->38 49 2cd742d-2cd743f call 2ce233c 39->49 47->48 50 2cd7496-2cd7548 call 2ce2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce4af0 * 5 call 2cd439c * 2 47->50 57 2cd779d-2cd77a6 call 2ce233c 48->57 58 2cd7756-2cd7758 48->58 49->38 59 2cd7441-2cd7453 call 2ce233c 49->59 114 2cd754a-2cd754c 50->114 115 2cd7585 50->115 66 2cd77ab-2cd77af 57->66 58->57 61 2cd775a-2cd7798 call 2ce4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 59->38 72 2cd7455-2cd7467 call 2ce233c 59->72 61->10 70 2cd77b1-2cd77bf call 2cd61f5 call 2cd6303 66->70 71 2cd77d0-2cd77e2 call 2ce233c 66->71 85 2cd77c4-2cd77cb call 2cd640e 70->85 82 2cd77e8-2cd77ea 71->82 83 2cd7b00-2cd7b12 call 2ce233c 71->83 72->10 72->38 82->83 87 2cd77f0-2cd7807 call 2cd439c 82->87 83->10 95 2cd7b18-2cd7b46 call 2ce2fac call 2ce4af0 call 2cd439c 83->95 85->10 87->10 99 2cd780d-2cd78db call 2ce2418 call 2cd1ba7 87->99 121 2cd7b4f-2cd7b56 call 2ce2f74 95->121 122 2cd7b48-2cd7b4a call 2cd534d 95->122 112 2cd78dd call 2cd143f 99->112 113 2cd78e2-2cd7903 RtlEnterCriticalSection 99->113 112->113 118 2cd790f-2cd7945 RtlLeaveCriticalSection call 2cd3c67 call 2cd3d7e 113->118 119 2cd7905-2cd790c 113->119 114->115 120 2cd754e-2cd7560 call 2ce233c 114->120 123 2cd7589-2cd758e call 2ce2fac 115->123 137 2cd794a-2cd7967 call 2cd8332 118->137 119->118 120->115 135 2cd7562-2cd7583 call 2cd439c 120->135 121->10 122->121 129 2cd7593-2cd75b7 call 2ce4af0 call 2cd439c 123->129 144 2cd75b9-2cd75c8 call 2ce35e6 129->144 145 2cd75f8-2cd7601 call 2ce2f74 129->145 135->123 143 2cd796c-2cd7973 137->143 146 2cd7979-2cd79b3 call 2cda71c 143->146 147 2cd7ae7-2cd7afb call 2cd8ffa 143->147 144->145 160 2cd75ca 144->160 158 2cd7738-2cd773b 145->158 159 2cd7607-2cd761f call 2ce3b4c 145->159 155 2cd79b8-2cd79c1 146->155 147->10 156 2cd79c7-2cd79ce 155->156 157 2cd7ab1-2cd7ae2 call 2cd83e1 call 2cd33b2 155->157 161 2cd79d1-2cd79d6 156->161 157->147 158->48 171 2cd762b 159->171 172 2cd7621-2cd7629 call 2cd972e 159->172 163 2cd75cf-2cd75e1 call 2ce2850 160->163 161->161 165 2cd79d8-2cd7a15 call 2cda71c 161->165 177 2cd75e6-2cd75f6 call 2ce35e6 163->177 178 2cd75e3 163->178 174 2cd7a1a-2cd7a23 165->174 176 2cd762d-2cd7661 call 2cda846 call 2cd3863 171->176 172->176 174->157 179 2cd7a29-2cd7a2f 174->179 189 2cd7666-2cd7682 call 2cd5119 176->189 177->145 177->163 178->177 184 2cd7a32-2cd7a37 179->184 184->184 186 2cd7a39-2cd7a74 call 2cda71c 184->186 186->157 193 2cd7a76-2cd7aaa call 2cdd10e 186->193 192 2cd7687-2cd76b8 call 2cd3863 call 2cdaaec 189->192 199 2cd76bd-2cd76cf call 2cdac06 192->199 197 2cd7aaf-2cd7ab0 193->197 197->157 201 2cd76d4-2cd76e5 199->201 202 2cd76ec-2cd76fb Sleep 201->202 203 2cd76e7 call 2cd380b 201->203 205 2cd7703-2cd7717 call 2ce18f0 202->205 203->202 207 2cd7719-2cd7722 call 2cd4100 205->207 208 2cd7723-2cd7731 205->208 207->208 208->158 209 2cd7733 call 2cd380b 208->209 209->158
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(0000EA60), ref: 02CD6708
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD6713
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD6724
                                                                                  • _memset.LIBCMT ref: 02CD6779
                                                                                  • _memset.LIBCMT ref: 02CD6788
                                                                                  • InternetOpenA.WININET(?), ref: 02CD72B5
                                                                                  • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02CD72DD
                                                                                  • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02CD72F5
                                                                                  • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02CD730D
                                                                                  • _memset.LIBCMT ref: 02CD731D
                                                                                  • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02CD7336
                                                                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02CD7358
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 02CD7378
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 02CD7383
                                                                                  • _memset.LIBCMT ref: 02CD73CB
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD73EE
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD73FF
                                                                                  • _malloc.LIBCMT ref: 02CD7498
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD74AA
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD74B6
                                                                                  • _memset.LIBCMT ref: 02CD74D0
                                                                                  • _memset.LIBCMT ref: 02CD74DF
                                                                                  • _memset.LIBCMT ref: 02CD74EF
                                                                                  • _memset.LIBCMT ref: 02CD7502
                                                                                  • _memset.LIBCMT ref: 02CD7518
                                                                                  • _malloc.LIBCMT ref: 02CD758E
                                                                                  • _memset.LIBCMT ref: 02CD759F
                                                                                  • _strtok.LIBCMT ref: 02CD75BF
                                                                                  • _swscanf.LIBCMT ref: 02CD75D6
                                                                                  • _strtok.LIBCMT ref: 02CD75ED
                                                                                  • _free.LIBCMT ref: 02CD75F9
                                                                                  • Sleep.KERNEL32(000007D0), ref: 02CD76F1
                                                                                  • _memset.LIBCMT ref: 02CD7765
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD7772
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD7784
                                                                                  • _sprintf.LIBCMT ref: 02CD7822
                                                                                  • RtlEnterCriticalSection.NTDLL(00000020), ref: 02CD78E6
                                                                                  • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CD791A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                  • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                  • API String ID: 696907137-1839899575
                                                                                  • Opcode ID: c8214444d5474c7e53474ab4f6394250821d66e3cb9e13eeb1b22aa3a910179a
                                                                                  • Instruction ID: 19b50b236496e3b03983d22c83231a6145f1251a220427bfe55ca54ea8843c0f
                                                                                  • Opcode Fuzzy Hash: c8214444d5474c7e53474ab4f6394250821d66e3cb9e13eeb1b22aa3a910179a
                                                                                  • Instruction Fuzzy Hash: A032F0315483819FE775AB24DC45BAFBBEAAFC5314F10482DF68A97290EB709508CB53
                                                                                  Function 02CD648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 503 2cd648b-2cd64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 504 2cd64f3-2cd66f1 GetTickCount call 2cd605a GetVersionExA call 2ce4af0 call 2ce2fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ce4af0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce2fac * 4 QueryPerformanceCounter Sleep call 2ce2fac * 2 call 2ce4af0 * 2 503->504 505 2cd64ee call 2cd42c7 503->505 548 2cd66f4-2cd66f6 504->548 505->504 549 2cd66ff-2cd6701 548->549 550 2cd66f8-2cd66fd 548->550 552 2cd670e-2cd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 549->552 553 2cd6703 549->553 551 2cd6708 Sleep 550->551 551->552 554 2cd6744-2cd6750 552->554 555 2cd6792 552->555 553->551 554->555 557 2cd6752-2cd675f 554->557 556 2cd6796-2cd72c3 InternetOpenA 555->556 562 2cd7389-2cd738f 556->562 563 2cd72c9-2cd7340 InternetSetOptionA * 3 call 2ce4af0 InternetOpenUrlA 556->563 558 2cd6767-2cd6768 557->558 559 2cd6761-2cd6765 557->559 561 2cd676c-2cd6790 call 2ce4af0 * 2 558->561 559->561 561->556 565 2cd73ab-2cd73b9 562->565 566 2cd7391-2cd7397 562->566 573 2cd7382-2cd7383 InternetCloseHandle 563->573 574 2cd7342 563->574 565->548 572 2cd73bf-2cd73e3 call 2ce4af0 call 2cd439c 565->572 569 2cd739d-2cd73aa call 2cd53ec 566->569 570 2cd7399-2cd739b 566->570 569->565 570->565 572->548 586 2cd73e9-2cd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce233c 572->586 573->562 579 2cd7346-2cd736c InternetReadFile 574->579 583 2cd736e-2cd7375 579->583 584 2cd7377-2cd737e InternetCloseHandle 579->584 583->579 584->573 589 2cd746d-2cd7488 call 2ce233c 586->589 590 2cd7419-2cd742b call 2ce233c 586->590 595 2cd748e-2cd7490 589->595 596 2cd7742-2cd7754 call 2ce233c 589->596 590->589 597 2cd742d-2cd743f call 2ce233c 590->597 595->596 598 2cd7496-2cd7548 call 2ce2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce4af0 * 5 call 2cd439c * 2 595->598 605 2cd779d-2cd77af call 2ce233c 596->605 606 2cd7756-2cd7758 596->606 597->589 607 2cd7441-2cd7453 call 2ce233c 597->607 662 2cd754a-2cd754c 598->662 663 2cd7585 598->663 618 2cd77b1-2cd77bf call 2cd61f5 call 2cd6303 605->618 619 2cd77d0-2cd77e2 call 2ce233c 605->619 606->605 609 2cd775a-2cd7798 call 2ce4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 606->609 607->589 620 2cd7455-2cd7467 call 2ce233c 607->620 609->548 633 2cd77c4-2cd77cb call 2cd640e 618->633 630 2cd77e8-2cd77ea 619->630 631 2cd7b00-2cd7b12 call 2ce233c 619->631 620->548 620->589 630->631 635 2cd77f0-2cd7807 call 2cd439c 630->635 631->548 643 2cd7b18-2cd7b46 call 2ce2fac call 2ce4af0 call 2cd439c 631->643 633->548 635->548 647 2cd780d-2cd78db call 2ce2418 call 2cd1ba7 635->647 669 2cd7b4f-2cd7b56 call 2ce2f74 643->669 670 2cd7b48-2cd7b4a call 2cd534d 643->670 660 2cd78dd call 2cd143f 647->660 661 2cd78e2-2cd7903 RtlEnterCriticalSection 647->661 660->661 666 2cd790f-2cd7973 RtlLeaveCriticalSection call 2cd3c67 call 2cd3d7e call 2cd8332 661->666 667 2cd7905-2cd790c 661->667 662->663 668 2cd754e-2cd7560 call 2ce233c 662->668 671 2cd7589-2cd75b7 call 2ce2fac call 2ce4af0 call 2cd439c 663->671 694 2cd7979-2cd79c1 call 2cda71c 666->694 695 2cd7ae7-2cd7afb call 2cd8ffa 666->695 667->666 668->663 683 2cd7562-2cd7583 call 2cd439c 668->683 669->548 670->669 692 2cd75b9-2cd75c8 call 2ce35e6 671->692 693 2cd75f8-2cd7601 call 2ce2f74 671->693 683->671 692->693 708 2cd75ca 692->708 706 2cd7738-2cd773b 693->706 707 2cd7607-2cd761f call 2ce3b4c 693->707 704 2cd79c7-2cd79ce 694->704 705 2cd7ab1-2cd7ae2 call 2cd83e1 call 2cd33b2 694->705 695->548 709 2cd79d1-2cd79d6 704->709 705->695 706->596 719 2cd762b 707->719 720 2cd7621-2cd7629 call 2cd972e 707->720 711 2cd75cf-2cd75e1 call 2ce2850 708->711 709->709 713 2cd79d8-2cd7a23 call 2cda71c 709->713 725 2cd75e6-2cd75f6 call 2ce35e6 711->725 726 2cd75e3 711->726 713->705 727 2cd7a29-2cd7a2f 713->727 724 2cd762d-2cd76cf call 2cda846 call 2cd3863 call 2cd5119 call 2cd3863 call 2cdaaec call 2cdac06 719->724 720->724 749 2cd76d4-2cd76e5 724->749 725->693 725->711 726->725 732 2cd7a32-2cd7a37 727->732 732->732 734 2cd7a39-2cd7a74 call 2cda71c 732->734 734->705 741 2cd7a76-2cd7aaa call 2cdd10e 734->741 745 2cd7aaf-2cd7ab0 741->745 745->705 750 2cd76ec-2cd7717 Sleep call 2ce18f0 749->750 751 2cd76e7 call 2cd380b 749->751 755 2cd7719-2cd7722 call 2cd4100 750->755 756 2cd7723-2cd7731 750->756 751->750 755->756 756->706 757 2cd7733 call 2cd380b 756->757 757->706
                                                                                  APIs
                                                                                  • RtlInitializeCriticalSection.NTDLL(02D071E0), ref: 02CD64BA
                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02CD64D1
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02CD64DA
                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02CD64E9
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02CD64EC
                                                                                  • GetTickCount.KERNEL32 ref: 02CD64F8
                                                                                    • Part of subcall function 02CD605A: _malloc.LIBCMT ref: 02CD6068
                                                                                  • GetVersionExA.KERNEL32(02D07038), ref: 02CD6525
                                                                                  • _memset.LIBCMT ref: 02CD6544
                                                                                  • _malloc.LIBCMT ref: 02CD6551
                                                                                    • Part of subcall function 02CE2FAC: __FF_MSGBANNER.LIBCMT ref: 02CE2FC3
                                                                                    • Part of subcall function 02CE2FAC: __NMSG_WRITE.LIBCMT ref: 02CE2FCA
                                                                                    • Part of subcall function 02CE2FAC: RtlAllocateHeap.NTDLL(00960000,00000000,00000001), ref: 02CE2FEF
                                                                                  • _malloc.LIBCMT ref: 02CD6561
                                                                                  • _malloc.LIBCMT ref: 02CD656C
                                                                                  • _malloc.LIBCMT ref: 02CD6577
                                                                                  • _malloc.LIBCMT ref: 02CD6582
                                                                                  • _malloc.LIBCMT ref: 02CD658D
                                                                                  • _malloc.LIBCMT ref: 02CD6598
                                                                                  • _malloc.LIBCMT ref: 02CD65A7
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02CD65BE
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02CD65C7
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CD65D6
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02CD65D9
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CD65E4
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02CD65E7
                                                                                  • _memset.LIBCMT ref: 02CD65FA
                                                                                  • _memset.LIBCMT ref: 02CD6606
                                                                                  • _memset.LIBCMT ref: 02CD6613
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD6621
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD662E
                                                                                  • _malloc.LIBCMT ref: 02CD6652
                                                                                  • _malloc.LIBCMT ref: 02CD6660
                                                                                  • _malloc.LIBCMT ref: 02CD6667
                                                                                  • _malloc.LIBCMT ref: 02CD668D
                                                                                  • QueryPerformanceCounter.KERNEL32(00000200), ref: 02CD66A0
                                                                                  • Sleep.KERNEL32 ref: 02CD66AE
                                                                                  • _malloc.LIBCMT ref: 02CD66BA
                                                                                  • _malloc.LIBCMT ref: 02CD66C7
                                                                                  • _memset.LIBCMT ref: 02CD66DC
                                                                                  • _memset.LIBCMT ref: 02CD66EC
                                                                                  • Sleep.KERNEL32(0000EA60), ref: 02CD6708
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD6713
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD6724
                                                                                  • _memset.LIBCMT ref: 02CD6779
                                                                                  • _memset.LIBCMT ref: 02CD6788
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                  • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                  • API String ID: 2251652938-2678694477
                                                                                  • Opcode ID: 592e83025962ac71dd808421166ce6546d3cf83d1f3f19fff1378de2616dbe36
                                                                                  • Instruction ID: 90b3b1c659ef583ca9aef3a5d5023199a94de3f36789e1508dc700b66f87e37f
                                                                                  • Opcode Fuzzy Hash: 592e83025962ac71dd808421166ce6546d3cf83d1f3f19fff1378de2616dbe36
                                                                                  • Instruction Fuzzy Hash: 3771C6B1D48350AFE710AF74AC45B5BBBE8AF89310F100819FA869B390DBB45814DF97
                                                                                  Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 999 401b4b-401b68 LoadLibraryA 1000 401c21-401c25 999->1000 1001 401b6e-401b7f GetProcAddress 999->1001 1002 401b85-401b8e 1001->1002 1003 401c18-401c1b FreeLibrary 1001->1003 1004 401b95-401ba5 GetAdaptersInfo 1002->1004 1003->1000 1005 401ba7-401bb0 1004->1005 1006 401bdb-401be3 1004->1006 1009 401bc1-401bd7 call 402cc0 call 4018cc 1005->1009 1010 401bb2-401bb6 1005->1010 1007 401be5-401beb call 402ca6 1006->1007 1008 401bec-401bf0 1006->1008 1007->1008 1013 401bf2-401bf6 1008->1013 1014 401c15-401c17 1008->1014 1009->1006 1010->1006 1015 401bb8-401bbf 1010->1015 1013->1014 1018 401bf8-401bfb 1013->1018 1014->1003 1015->1009 1015->1010 1020 401c06-401c13 call 402c98 1018->1020 1021 401bfd-401c03 1018->1021 1020->1004 1020->1014 1021->1020
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                  • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                  • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                  • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                  • API String ID: 514930453-3667123677
                                                                                  • Opcode ID: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                  • Instruction ID: 38440359ad4724572ca0372a4bc8090c683b298b5ffde01d95b1867a6a9b844d
                                                                                  • Opcode Fuzzy Hash: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                  • Instruction Fuzzy Hash: F921B870904109AFEF119F65C9447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                                  Function 02CDF99E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1073 2cdf99e-2cdf9c1 LoadLibraryA 1074 2cdf9c7-2cdf9d5 GetProcAddress 1073->1074 1075 2cdfa81-2cdfa88 1073->1075 1076 2cdf9db-2cdf9eb 1074->1076 1077 2cdfa7a-2cdfa7b FreeLibrary 1074->1077 1078 2cdf9ed-2cdf9f9 GetAdaptersInfo 1076->1078 1077->1075 1079 2cdf9fb 1078->1079 1080 2cdfa31-2cdfa39 1078->1080 1083 2cdf9fd-2cdfa04 1079->1083 1081 2cdfa3b-2cdfa41 call 2ce37a8 1080->1081 1082 2cdfa42-2cdfa47 1080->1082 1081->1082 1085 2cdfa49-2cdfa4c 1082->1085 1086 2cdfa75-2cdfa79 1082->1086 1087 2cdfa0e-2cdfa16 1083->1087 1088 2cdfa06-2cdfa0a 1083->1088 1085->1086 1092 2cdfa4e-2cdfa53 1085->1092 1086->1077 1090 2cdfa19-2cdfa1e 1087->1090 1088->1083 1089 2cdfa0c 1088->1089 1089->1080 1090->1090 1093 2cdfa20-2cdfa2d call 2cdf6ed 1090->1093 1094 2cdfa55-2cdfa5d 1092->1094 1095 2cdfa60-2cdfa6b call 2ce3b4c 1092->1095 1093->1080 1094->1095 1095->1086 1100 2cdfa6d-2cdfa70 1095->1100 1100->1078
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02CDF9B4
                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02CDF9CD
                                                                                  • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02CDF9F2
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 02CDFA7B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                  • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                  • API String ID: 514930453-3114217049
                                                                                  • Opcode ID: 9a262c0e4b8aa53e1a333b3ea306f831dcb7f843b01038a7b91decec7af1b2d6
                                                                                  • Instruction ID: 7ffcfbfadc34d83c03fb2b1e111577e26488ed7701fbf678508d82f4ad169736
                                                                                  • Opcode Fuzzy Hash: 9a262c0e4b8aa53e1a333b3ea306f831dcb7f843b01038a7b91decec7af1b2d6
                                                                                  • Instruction Fuzzy Hash: C221B971E44209AFDB10DFA8D884AEEBBF8FF45314F1441ADD60AE7611DB309A45CBA0
                                                                                  Function 02CDF89A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1158 2cdf89a-2cdf8c5 CreateFileA 1159 2cdf8cb-2cdf8e0 1158->1159 1160 2cdf996-2cdf99d 1158->1160 1161 2cdf8e3-2cdf905 DeviceIoControl 1159->1161 1162 2cdf93e-2cdf946 1161->1162 1163 2cdf907-2cdf90f 1161->1163 1166 2cdf94f-2cdf951 1162->1166 1167 2cdf948-2cdf94e call 2ce37a8 1162->1167 1164 2cdf918-2cdf91d 1163->1164 1165 2cdf911-2cdf916 1163->1165 1164->1162 1168 2cdf91f-2cdf927 1164->1168 1165->1162 1170 2cdf98c-2cdf995 CloseHandle 1166->1170 1171 2cdf953-2cdf956 1166->1171 1167->1166 1172 2cdf92a-2cdf92f 1168->1172 1170->1160 1174 2cdf958-2cdf961 GetLastError 1171->1174 1175 2cdf972-2cdf97f call 2ce3b4c 1171->1175 1172->1172 1177 2cdf931-2cdf93d call 2cdf6ed 1172->1177 1174->1170 1178 2cdf963-2cdf966 1174->1178 1175->1170 1182 2cdf981-2cdf987 1175->1182 1177->1162 1178->1175 1179 2cdf968-2cdf96f 1178->1179 1179->1175 1182->1161
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02CDF8B9
                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02CDF8F7
                                                                                  • GetLastError.KERNEL32 ref: 02CDF958
                                                                                  • CloseHandle.KERNEL32(?), ref: 02CDF98F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                  • String ID: \\.\PhysicalDrive0
                                                                                  • API String ID: 4026078076-1180397377
                                                                                  • Opcode ID: 5e9409c5f6b015bdfdf0c77568386a4e864e92c1cd1b1488e6050bf0e2769484
                                                                                  • Instruction ID: 050f059f7de933e67d0cfee68cd92a65ff0c2c93bdf4ff05630e1116befddc87
                                                                                  • Opcode Fuzzy Hash: 5e9409c5f6b015bdfdf0c77568386a4e864e92c1cd1b1488e6050bf0e2769484
                                                                                  • Instruction Fuzzy Hash: 5B31AD71E00219BBDB24DF95D884BAEBBB8FF49714F20416EE606A7A80D7705B05CBD4
                                                                                  Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1184 401a4f-401a77 CreateFileA 1185 401b45-401b4a 1184->1185 1186 401a7d-401a91 1184->1186 1187 401a98-401ac0 DeviceIoControl 1186->1187 1188 401ac2-401aca 1187->1188 1189 401af3-401afb 1187->1189 1190 401ad4-401ad9 1188->1190 1191 401acc-401ad2 1188->1191 1192 401b04-401b07 1189->1192 1193 401afd-401b03 call 402ca6 1189->1193 1190->1189 1194 401adb-401af1 call 402cc0 call 4018cc 1190->1194 1191->1189 1196 401b09-401b0c 1192->1196 1197 401b3a-401b44 CloseHandle 1192->1197 1193->1192 1194->1189 1200 401b27-401b34 call 402c98 1196->1200 1201 401b0e-401b17 GetLastError 1196->1201 1197->1185 1200->1187 1200->1197 1201->1197 1204 401b19-401b1c 1201->1204 1204->1200 1207 401b1e-401b24 1204->1207 1207->1200
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                  • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                  • GetLastError.KERNEL32 ref: 00401B0E
                                                                                  • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                  • String ID: \\.\PhysicalDrive0
                                                                                  • API String ID: 4026078076-1180397377
                                                                                  • Opcode ID: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                  • Instruction ID: fc4aaa1cf60edb7db06fdbd05dea25136cd7d186831ecbc7bbbcf924abbffa34
                                                                                  • Opcode Fuzzy Hash: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                  • Instruction Fuzzy Hash: 74318B71D00218EADB21AFA5CD849EFBBB9FF41750F20407AE554B32A0E7785E45CB98
                                                                                  Function 02CD6330 Relevance: 82.6, APIs: 42, Strings: 5, Instructions: 364COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 213 2cd6330-2cd6331 214 2cd63af-2cd63b6 213->214 215 2cd6333 213->215 216 2cd63b8-2cd63bc 214->216 217 2cd63d1 214->217 218 2cd6334-2cd6339 215->218 216->214 219 2cd63be-2cd63c8 216->219 220 2cd641c-2cd643c 217->220 221 2cd63d3-2cd63d7 217->221 222 2cd6363-2cd6368 218->222 223 2cd643d-2cd643e 219->223 224 2cd63ca-2cd63cf 219->224 220->223 229 2cd6490-2cd6491 220->229 225 2cd63d9 221->225 226 2cd6440 221->226 227 2cd636a-2cd6385 222->227 228 2cd6395-2cd6397 222->228 223->226 230 2cd63db-2cd63de 223->230 224->217 225->222 225->230 232 2cd6441-2cd644c 226->232 234 2cd6327-2cd632c 227->234 235 2cd6387-2cd6394 227->235 228->218 231 2cd6398-2cd639d 228->231 233 2cd6492-2cd66f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2cd42c7 GetTickCount call 2cd605a GetVersionExA call 2ce4af0 call 2ce2fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ce4af0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce2fac * 4 QueryPerformanceCounter Sleep call 2ce2fac * 2 call 2ce4af0 * 2 229->233 240 2cd63f7-2cd640d 230->240 241 2cd63e0 230->241 236 2cd632d-2cd632e 231->236 237 2cd63a0-2cd63ad 231->237 238 2cd644e-2cd645e 232->238 239 2cd6460-2cd646b 232->239 290 2cd66f4-2cd66f6 233->290 234->236 235->228 236->213 237->214 238->239 239->233 242 2cd646d-2cd648a 239->242 241->232 244 2cd63e2-2cd63ec 241->244 244->240 291 2cd66ff-2cd6701 290->291 292 2cd66f8-2cd66fd 290->292 294 2cd670e-2cd6742 RtlEnterCriticalSection RtlLeaveCriticalSection 291->294 295 2cd6703 291->295 293 2cd6708 Sleep 292->293 293->294 296 2cd6744-2cd6750 294->296 297 2cd6792 294->297 295->293 296->297 299 2cd6752-2cd675f 296->299 298 2cd6796-2cd72c3 InternetOpenA 297->298 304 2cd7389-2cd738f 298->304 305 2cd72c9-2cd7340 InternetSetOptionA * 3 call 2ce4af0 InternetOpenUrlA 298->305 300 2cd6767-2cd6768 299->300 301 2cd6761-2cd6765 299->301 303 2cd676c-2cd6790 call 2ce4af0 * 2 300->303 301->303 303->298 307 2cd73ab-2cd73b9 304->307 308 2cd7391-2cd7397 304->308 315 2cd7382-2cd7383 InternetCloseHandle 305->315 316 2cd7342 305->316 307->290 314 2cd73bf-2cd73e3 call 2ce4af0 call 2cd439c 307->314 311 2cd739d-2cd73aa call 2cd53ec 308->311 312 2cd7399-2cd739b 308->312 311->307 312->307 314->290 328 2cd73e9-2cd7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce233c 314->328 315->304 321 2cd7346-2cd736c InternetReadFile 316->321 325 2cd736e-2cd7375 321->325 326 2cd7377-2cd737e InternetCloseHandle 321->326 325->321 326->315 331 2cd746d-2cd7488 call 2ce233c 328->331 332 2cd7419-2cd742b call 2ce233c 328->332 337 2cd748e-2cd7490 331->337 338 2cd7742-2cd7754 call 2ce233c 331->338 332->331 339 2cd742d-2cd743f call 2ce233c 332->339 337->338 340 2cd7496-2cd7548 call 2ce2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2ce4af0 * 5 call 2cd439c * 2 337->340 347 2cd779d-2cd77af call 2ce233c 338->347 348 2cd7756-2cd7758 338->348 339->331 349 2cd7441-2cd7453 call 2ce233c 339->349 404 2cd754a-2cd754c 340->404 405 2cd7585 340->405 360 2cd77b1-2cd77cb call 2cd61f5 call 2cd6303 call 2cd640e 347->360 361 2cd77d0-2cd77e2 call 2ce233c 347->361 348->347 351 2cd775a-2cd7798 call 2ce4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 348->351 349->331 362 2cd7455-2cd7467 call 2ce233c 349->362 351->290 360->290 372 2cd77e8-2cd77ea 361->372 373 2cd7b00-2cd7b12 call 2ce233c 361->373 362->290 362->331 372->373 377 2cd77f0-2cd7807 call 2cd439c 372->377 373->290 385 2cd7b18-2cd7b46 call 2ce2fac call 2ce4af0 call 2cd439c 373->385 377->290 389 2cd780d-2cd78db call 2ce2418 call 2cd1ba7 377->389 411 2cd7b4f-2cd7b56 call 2ce2f74 385->411 412 2cd7b48-2cd7b4a call 2cd534d 385->412 402 2cd78dd call 2cd143f 389->402 403 2cd78e2-2cd7903 RtlEnterCriticalSection 389->403 402->403 408 2cd790f-2cd7973 RtlLeaveCriticalSection call 2cd3c67 call 2cd3d7e call 2cd8332 403->408 409 2cd7905-2cd790c 403->409 404->405 410 2cd754e-2cd7560 call 2ce233c 404->410 413 2cd7589-2cd75b7 call 2ce2fac call 2ce4af0 call 2cd439c 405->413 436 2cd7979-2cd79c1 call 2cda71c 408->436 437 2cd7ae7-2cd7afb call 2cd8ffa 408->437 409->408 410->405 425 2cd7562-2cd7583 call 2cd439c 410->425 411->290 412->411 434 2cd75b9-2cd75c8 call 2ce35e6 413->434 435 2cd75f8-2cd7601 call 2ce2f74 413->435 425->413 434->435 450 2cd75ca 434->450 448 2cd7738-2cd773b 435->448 449 2cd7607-2cd761f call 2ce3b4c 435->449 446 2cd79c7-2cd79ce 436->446 447 2cd7ab1-2cd7ae2 call 2cd83e1 call 2cd33b2 436->447 437->290 451 2cd79d1-2cd79d6 446->451 447->437 448->338 461 2cd762b 449->461 462 2cd7621-2cd7629 call 2cd972e 449->462 453 2cd75cf-2cd75e1 call 2ce2850 450->453 451->451 455 2cd79d8-2cd7a23 call 2cda71c 451->455 467 2cd75e6-2cd75f6 call 2ce35e6 453->467 468 2cd75e3 453->468 455->447 469 2cd7a29-2cd7a2f 455->469 466 2cd762d-2cd76e5 call 2cda846 call 2cd3863 call 2cd5119 call 2cd3863 call 2cdaaec call 2cdac06 461->466 462->466 492 2cd76ec-2cd7717 Sleep call 2ce18f0 466->492 493 2cd76e7 call 2cd380b 466->493 467->435 467->453 468->467 474 2cd7a32-2cd7a37 469->474 474->474 476 2cd7a39-2cd7a74 call 2cda71c 474->476 476->447 483 2cd7a76-2cd7ab0 call 2cdd10e 476->483 483->447 497 2cd7719-2cd7722 call 2cd4100 492->497 498 2cd7723-2cd7731 492->498 493->492 497->498 498->448 499 2cd7733 call 2cd380b 498->499 499->448
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                  • API String ID: 0-2678694477
                                                                                  • Opcode ID: 26afa334ec6b72b76b76d1e3ce66365ea1b3724a02e71bcfb3c3936ec1cb3cd6
                                                                                  • Instruction ID: 47bcb658d1ad3ce40177c8b08028942c4f490d8623e55317a0ff512f25890363
                                                                                  • Opcode Fuzzy Hash: 26afa334ec6b72b76b76d1e3ce66365ea1b3724a02e71bcfb3c3936ec1cb3cd6
                                                                                  • Instruction Fuzzy Hash: DEB17CB19483909FE711AF34AC45B5BBFE8AF89320F24086EF6858B291D7755805CF93
                                                                                  Function 02CD1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CD1D11
                                                                                  • GetLastError.KERNEL32 ref: 02CD1D23
                                                                                    • Part of subcall function 02CD1712: __EH_prolog.LIBCMT ref: 02CD1717
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CD1D59
                                                                                  • GetLastError.KERNEL32 ref: 02CD1D6B
                                                                                  • __beginthreadex.LIBCMT ref: 02CD1DB1
                                                                                  • GetLastError.KERNEL32 ref: 02CD1DC6
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CD1DDD
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CD1DEC
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02CD1E14
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CD1E1B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                  • String ID: thread$thread.entry_event$thread.exit_event
                                                                                  • API String ID: 831262434-3017686385
                                                                                  • Opcode ID: b1a387757d10f0077d3e4979a88c6b73f64e81e8194aff68b5cf9da6df15e8f8
                                                                                  • Instruction ID: 945e54c8e315702f8e47471eeb791b6563a050b3bc51321102eead5d6d0f91b4
                                                                                  • Opcode Fuzzy Hash: b1a387757d10f0077d3e4979a88c6b73f64e81e8194aff68b5cf9da6df15e8f8
                                                                                  • Instruction Fuzzy Hash: 50315C71A003059FD700EF24C848B2BBBA5FF84754F14496EFA599B291DBB09949CBD2
                                                                                  Function 02CD4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 790 2cd4603-2cd463b call 2cf53f0 call 2ce0b10 call 2ce3b4c 797 2cd463d-2cd4645 call 2cd972e 790->797 798 2cd4647 790->798 800 2cd4649-2cd465c call 2cda846 797->800 798->800 804 2cd4661-2cd4664 800->804 805 2cd4666-2cd4672 htons 804->805 806 2cd4683-2cd4687 804->806 807 2cd48ae-2cd48c1 call 2ce3b4c 805->807 808 2cd4678-2cd4681 805->808 809 2cd4689-2cd46e4 htonl * 2 htons call 2cd3d7e call 2cd8332 806->809 810 2cd46f1-2cd47f8 call 2cd1ba7 call 2cddeea htons call 2ce2418 call 2cd7d1b call 2cd7cf5 * 2 call 2cd8983 call 2cd84a8 806->810 817 2cd48cd 807->817 818 2cd48c3-2cd48cb call 2cd972e 807->818 808->804 808->806 809->807 826 2cd46ea-2cd46ec 809->826 862 2cd47fa-2cd4805 810->862 863 2cd4871-2cd487a 810->863 823 2cd48cf-2cd4917 call 2cda846 call 2cd3c67 call 2cd3d7e call 2cd8332 817->823 818->823 844 2cd491d-2cd494a call 2cda71c 823->844 845 2cd4b38-2cd4b43 823->845 826->807 844->845 855 2cd4950-2cd495a 844->855 848 2cd4b4a-2cd4b53 845->848 849 2cd4b45 call 2cd380b 845->849 851 2cd4b5a-2cd4b76 call 2cd8983 848->851 852 2cd4b55 call 2cd380b 848->852 849->848 852->851 859 2cd4a07-2cd4a09 855->859 860 2cd4960-2cd4977 call 2cd83a8 855->860 868 2cd4a0a-2cd4a33 call 2cda71c 859->868 876 2cd499f-2cd49b7 860->876 877 2cd4979-2cd499d htonl * 2 860->877 867 2cd4809-2cd4813 862->867 865 2cd487c call 2cd143f 863->865 866 2cd4881-2cd48a5 call 2cd8983 * 2 863->866 865->866 866->807 892 2cd48a7-2cd48a9 call 2cd143f 866->892 871 2cd486e 867->871 872 2cd4815-2cd4838 call 2cd8332 867->872 868->845 880 2cd4a39-2cd4a5e call 2cda71c 868->880 871->863 882 2cd483d-2cd4841 872->882 881 2cd49ba-2cd49e2 call 2cd3bd3 htonl * 2 call 2cd83a8 876->881 877->881 880->845 893 2cd4a64-2cd4a8d call 2cda71c 880->893 898 2cd49e7-2cd4a05 htons * 2 881->898 886 2cd486c 882->886 887 2cd4843-2cd4863 call 2cd82ac call 2cd8500 882->887 886->871 887->867 902 2cd4865-2cd486a call 2cd143f 887->902 892->807 893->845 903 2cd4a93-2cd4b11 call 2cd3863 * 2 call 2cda8a3 call 2cda942 call 2cd4bad call 2cd3863 * 2 call 2cd44ab 893->903 898->868 902->867 921 2cd4b16-2cd4b2d call 2ce18f0 903->921 921->845 924 2cd4b2f-2cd4b37 call 2cd4100 921->924 924->845
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD4608
                                                                                    • Part of subcall function 02CE3B4C: _malloc.LIBCMT ref: 02CE3B64
                                                                                  • htons.WS2_32(?), ref: 02CD4669
                                                                                  • htonl.WS2_32(?), ref: 02CD468C
                                                                                  • htonl.WS2_32(00000000), ref: 02CD4693
                                                                                  • htons.WS2_32(00000000), ref: 02CD4747
                                                                                  • _sprintf.LIBCMT ref: 02CD475D
                                                                                    • Part of subcall function 02CD8983: _memmove.LIBCMT ref: 02CD89A3
                                                                                  • htons.WS2_32(?), ref: 02CD46B0
                                                                                    • Part of subcall function 02CD972E: __EH_prolog.LIBCMT ref: 02CD9733
                                                                                    • Part of subcall function 02CD972E: RtlEnterCriticalSection.NTDLL(00000020), ref: 02CD97AE
                                                                                    • Part of subcall function 02CD972E: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CD97CC
                                                                                    • Part of subcall function 02CD1BA7: __EH_prolog.LIBCMT ref: 02CD1BAC
                                                                                    • Part of subcall function 02CD1BA7: RtlEnterCriticalSection.NTDLL ref: 02CD1BBC
                                                                                    • Part of subcall function 02CD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CD1BEA
                                                                                    • Part of subcall function 02CD1BA7: RtlEnterCriticalSection.NTDLL ref: 02CD1C13
                                                                                    • Part of subcall function 02CD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CD1C56
                                                                                    • Part of subcall function 02CDDEEA: __EH_prolog.LIBCMT ref: 02CDDEEF
                                                                                  • htonl.WS2_32(?), ref: 02CD497C
                                                                                  • htonl.WS2_32(00000000), ref: 02CD4983
                                                                                  • htonl.WS2_32(00000000), ref: 02CD49C8
                                                                                  • htonl.WS2_32(00000000), ref: 02CD49CF
                                                                                  • htons.WS2_32(?), ref: 02CD49EF
                                                                                  • htons.WS2_32(?), ref: 02CD49F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1645262487-0
                                                                                  • Opcode ID: b4d727cfa70981f5da513940d19a13f4378dcceab071cc491b1bbc417de0fa97
                                                                                  • Instruction ID: 2241e5b76cb9e98679d61ef6b1b81f58fe511292f6139e3d60d9a70224a58220
                                                                                  • Opcode Fuzzy Hash: b4d727cfa70981f5da513940d19a13f4378dcceab071cc491b1bbc417de0fa97
                                                                                  • Instruction Fuzzy Hash: E6024871D00259EFDF25DBE4C844BEEBBB9AF08304F10455AE609B7280DB746A49DFA1
                                                                                  Function 02CD4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 927 2cd4d86-2cd4dcb call 2cf53f0 call 2ce0b10 RtlEnterCriticalSection RtlLeaveCriticalSection 932 2cd50d4-2cd50dd 927->932 933 2cd4dd1 927->933 934 2cd50df call 2cd380b 932->934 935 2cd50e4-2cd50f4 932->935 936 2cd4dd6-2cd4e00 call 2cd3863 call 2cd4bed 933->936 934->935 942 2cd4e06-2cd4e0b 936->942 943 2cd50a1-2cd50ad RtlEnterCriticalSection RtlLeaveCriticalSection 936->943 945 2cd506e-2cd5070 942->945 946 2cd4e11-2cd4e3a call 2cdced0 942->946 944 2cd50b3-2cd50ce RtlEnterCriticalSection RtlLeaveCriticalSection 943->944 944->932 944->936 945->943 948 2cd5072-2cd509f call 2cda71c 945->948 946->943 951 2cd4e40-2cd4e5c call 2cd7d1b 946->951 948->943 948->944 955 2cd4e5e-2cd4e87 call 2cdced0 951->955 956 2cd4ec4-2cd4ec8 951->956 958 2cd4e8d-2cd4e99 RtlEnterCriticalSection RtlLeaveCriticalSection 955->958 963 2cd4f98-2cd4fc1 call 2cdced0 955->963 956->958 959 2cd4eca-2cd4eee call 2cdced0 956->959 961 2cd4e9f-2cd4ea6 RtlEnterCriticalSection RtlLeaveCriticalSection 958->961 965 2cd4ef3-2cd4ef9 959->965 964 2cd4eac-2cd4ebf call 2cd8983 961->964 972 2cd5064-2cd5069 963->972 973 2cd4fc7-2cd4ff0 call 2cdced0 963->973 964->944 965->958 968 2cd4efb-2cd4f2c call 2cdced0 965->968 968->958 976 2cd4f32-2cd4f93 call 2cdd002 call 2cd8983 call 2cd86f8 call 2cd8983 968->976 972->961 973->972 980 2cd4ff2-2cd5028 call 2cd7cf5 call 2cda9a9 call 2cdaa81 973->980 976->963 991 2cd502d-2cd5050 call 2cd8983 call 2ce18f0 980->991 991->964 996 2cd5056-2cd505f call 2cd4100 991->996 996->964
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD4D8B
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD4DB7
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD4DC3
                                                                                    • Part of subcall function 02CD4BED: __EH_prolog.LIBCMT ref: 02CD4BF2
                                                                                    • Part of subcall function 02CD4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02CD4CF2
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD4E93
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD4E99
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD4EA0
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD4EA6
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD50A7
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD50AD
                                                                                  • RtlEnterCriticalSection.NTDLL(02D071E0), ref: 02CD50B8
                                                                                  • RtlLeaveCriticalSection.NTDLL(02D071E0), ref: 02CD50C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                  • String ID:
                                                                                  • API String ID: 2062355503-0
                                                                                  • Opcode ID: bc42b5cb07c6159d4eaa4740e1797d7ccc474ca6b8f313f7c5d2e32ae3b8d9fb
                                                                                  • Instruction ID: 914c4ae0a1a8e98ebe63d83d8c43120aa41fff845edb80d412552195d7bc36a4
                                                                                  • Opcode Fuzzy Hash: bc42b5cb07c6159d4eaa4740e1797d7ccc474ca6b8f313f7c5d2e32ae3b8d9fb
                                                                                  • Instruction Fuzzy Hash: F5B16C71D0025DDFEF25DFA0C880BEEBBB5AF44314F14419AE6057A280DBB46A49DF92
                                                                                  Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1025 401f64-401f84 FindResourceA 1026 401f86-401f9d GetLastError SizeofResource 1025->1026 1027 401f9f-401fa1 1025->1027 1026->1027 1028 401fa6-401fec LoadResource LockResource GlobalAlloc call 402900 * 2 1026->1028 1029 402096-40209a 1027->1029 1034 401fee-401ff9 1028->1034 1034->1034 1035 401ffb-402003 GetTickCount 1034->1035 1036 402032-402038 1035->1036 1037 402005-402007 1035->1037 1038 402053-402083 GlobalAlloc call 401c26 1036->1038 1040 40203a-40204a 1036->1040 1037->1038 1039 402009-40200f 1037->1039 1047 402088-402093 1038->1047 1039->1038 1041 402011-402023 1039->1041 1042 40204c 1040->1042 1043 40204e-402051 1040->1043 1045 402025 1041->1045 1046 402027-40202a 1041->1046 1042->1043 1043->1038 1043->1040 1045->1046 1046->1041 1048 40202c-40202e 1046->1048 1047->1029 1048->1039 1049 402030 1048->1049 1049->1038
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                  • GetLastError.KERNEL32 ref: 00401F86
                                                                                  • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                  • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                  • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                  • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                                  • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                  • String ID:
                                                                                  • API String ID: 564119183-0
                                                                                  • Opcode ID: 44f877009007b5f29329c5f7e1656286887f6d20cb13e747ef411fa866021a9c
                                                                                  • Instruction ID: e5d4e2c5cc696d14c6606068760314b471c6e553d687b3536135e46d88421c00
                                                                                  • Opcode Fuzzy Hash: 44f877009007b5f29329c5f7e1656286887f6d20cb13e747ef411fa866021a9c
                                                                                  • Instruction Fuzzy Hash: AA314E71A00255AFDB105FB59F88A6F7F68EF49344F10407AFA46F7281DA748841C7A8
                                                                                  Function 02CD26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1050 2cd26db-2cd2726 RtlEnterCriticalSection 1051 2cd277e-2cd2781 1050->1051 1052 2cd2728-2cd2736 CreateWaitableTimerA 1050->1052 1053 2cd27d5-2cd27f0 RtlLeaveCriticalSection 1051->1053 1054 2cd2783-2cd2798 call 2ce3b4c 1051->1054 1055 2cd2738-2cd2756 GetLastError call 2ce0b10 call 2cd1712 1052->1055 1056 2cd275b-2cd2778 SetWaitableTimer 1052->1056 1061 2cd27ca 1054->1061 1062 2cd279a-2cd27ac call 2ce3b4c 1054->1062 1055->1056 1056->1051 1065 2cd27cc-2cd27d0 call 2cd7dfa 1061->1065 1068 2cd27ae-2cd27b7 1062->1068 1069 2cd27b9 1062->1069 1065->1053 1070 2cd27bb-2cd27c3 call 2cd1cf8 1068->1070 1069->1070 1072 2cd27c8 1070->1072 1072->1065
                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD2706
                                                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02CD272B
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02CF5B53), ref: 02CD2738
                                                                                    • Part of subcall function 02CD1712: __EH_prolog.LIBCMT ref: 02CD1717
                                                                                  • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02CD2778
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD27D9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                  • String ID: timer
                                                                                  • API String ID: 4293676635-1792073242
                                                                                  • Opcode ID: 8c5b6e360bd28980ac3920728e9dcc04fcc53e141ae3ad6241ea058118c2b721
                                                                                  • Instruction ID: 63aa338d40b9ae31dcbfb7b7ec355f8602566de35cd0fb138847db06bf94ee2d
                                                                                  • Opcode Fuzzy Hash: 8c5b6e360bd28980ac3920728e9dcc04fcc53e141ae3ad6241ea058118c2b721
                                                                                  • Instruction Fuzzy Hash: 93318FB1904705AFD360DF65C944B66FBE8FB48724F014A2EFA5583A80E770E914CF96
                                                                                  Function 02CD2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1101 2cd2b95-2cd2baf 1102 2cd2bc7-2cd2bcb 1101->1102 1103 2cd2bb1-2cd2bb9 call 2ce0b10 1101->1103 1105 2cd2bcd-2cd2bd0 1102->1105 1106 2cd2bdf 1102->1106 1112 2cd2bbf-2cd2bc2 1103->1112 1105->1106 1107 2cd2bd2-2cd2bdd call 2ce0b10 1105->1107 1108 2cd2be2-2cd2c11 WSASetLastError WSARecv call 2cda500 1106->1108 1107->1112 1114 2cd2c16-2cd2c1d 1108->1114 1115 2cd2d30 1112->1115 1117 2cd2c2c-2cd2c32 1114->1117 1118 2cd2c1f-2cd2c2a call 2ce0b10 1114->1118 1116 2cd2d32-2cd2d38 1115->1116 1120 2cd2c34-2cd2c39 call 2ce0b10 1117->1120 1121 2cd2c46-2cd2c48 1117->1121 1128 2cd2c3f-2cd2c42 1118->1128 1120->1128 1122 2cd2c4f-2cd2c60 call 2ce0b10 1121->1122 1123 2cd2c4a-2cd2c4d 1121->1123 1122->1116 1126 2cd2c66-2cd2c69 1122->1126 1123->1126 1131 2cd2c6b-2cd2c6d 1126->1131 1132 2cd2c73-2cd2c76 1126->1132 1128->1121 1131->1132 1133 2cd2d22-2cd2d2d call 2cd1996 1131->1133 1132->1115 1134 2cd2c7c-2cd2c9a call 2ce0b10 call 2cd166f 1132->1134 1133->1115 1141 2cd2cbc-2cd2cfa WSASetLastError select call 2cda500 1134->1141 1142 2cd2c9c-2cd2cba call 2ce0b10 call 2cd166f 1134->1142 1147 2cd2cfc-2cd2d06 call 2ce0b10 1141->1147 1148 2cd2d08 1141->1148 1142->1115 1142->1141 1156 2cd2d19-2cd2d1d 1147->1156 1152 2cd2d0a-2cd2d12 call 2ce0b10 1148->1152 1153 2cd2d15-2cd2d17 1148->1153 1152->1153 1153->1115 1153->1156 1156->1108
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2BE4
                                                                                  • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02CD2C07
                                                                                    • Part of subcall function 02CDA500: WSAGetLastError.WS2_32(00000000,?,?,02CD2A51), ref: 02CDA50E
                                                                                  • WSASetLastError.WS2_32 ref: 02CD2CD3
                                                                                  • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02CD2CE7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$Recvselect
                                                                                  • String ID: 3'
                                                                                  • API String ID: 886190287-280543908
                                                                                  • Opcode ID: 921ae3f1c6adb3155432213f8c90f7c77b9f18ecf409bb6aad88f0bb2ecc0e42
                                                                                  • Instruction ID: 796bf9d61b4301e22452c6f1d16e95e5125d4a28d1d00cdc5df82bba4e7b1724
                                                                                  • Opcode Fuzzy Hash: 921ae3f1c6adb3155432213f8c90f7c77b9f18ecf409bb6aad88f0bb2ecc0e42
                                                                                  • Instruction Fuzzy Hash: 6D416DB1A143059FDB109F74C40476BBBE9BF84358F100D1EEA9A97282EBB0D944CB92
                                                                                  Function 00402EB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetVersion.KERNEL32 ref: 00402ED6
                                                                                    • Part of subcall function 00403FF4: HeapCreate.KERNEL32(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                    • Part of subcall function 00403FF4: HeapDestroy.KERNEL32 ref: 00404044
                                                                                  • GetCommandLineA.KERNEL32 ref: 00402F24
                                                                                  • GetStartupInfoA.KERNEL32(?), ref: 00402F4F
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402F72
                                                                                    • Part of subcall function 00402FCB: ExitProcess.KERNEL32 ref: 00402FE8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                  • String ID: Y
                                                                                  • API String ID: 2057626494-4136946213
                                                                                  • Opcode ID: 325e7f914570c168081717ad5a7bff573080d66766d455433493ccebbf55a55a
                                                                                  • Instruction ID: 6c04a93e5977c8bd62da79476c711382ac288be854cd46207c6038a295986733
                                                                                  • Opcode Fuzzy Hash: 325e7f914570c168081717ad5a7bff573080d66766d455433493ccebbf55a55a
                                                                                  • Instruction Fuzzy Hash: 0F21AEB1800615AADB08AFA6DE4AA6E7FB8EF04705F10413FF501BB2E1DB388500CB58
                                                                                  Function 02CD29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1237 2cd29ee-2cd2a06 1238 2cd2a0c-2cd2a10 1237->1238 1239 2cd2ab3-2cd2abb call 2ce0b10 1237->1239 1241 2cd2a39-2cd2a4c WSASetLastError closesocket call 2cda500 1238->1241 1242 2cd2a12-2cd2a15 1238->1242 1247 2cd2abe-2cd2ac6 1239->1247 1248 2cd2a51-2cd2a55 1241->1248 1242->1241 1245 2cd2a17-2cd2a36 call 2ce0b10 call 2cd2f50 1242->1245 1245->1241 1248->1239 1250 2cd2a57-2cd2a5f call 2ce0b10 1248->1250 1255 2cd2a69-2cd2a71 call 2ce0b10 1250->1255 1256 2cd2a61-2cd2a67 1250->1256 1262 2cd2aaf-2cd2ab1 1255->1262 1263 2cd2a73-2cd2a79 1255->1263 1256->1255 1257 2cd2a7b-2cd2aad ioctlsocket WSASetLastError closesocket call 2cda500 1256->1257 1257->1262 1262->1239 1262->1247 1263->1257 1263->1262
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2A3B
                                                                                  • closesocket.WS2_32 ref: 02CD2A42
                                                                                  • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02CD2A89
                                                                                  • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02CD2A97
                                                                                  • closesocket.WS2_32 ref: 02CD2A9E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 1561005644-0
                                                                                  • Opcode ID: cd15865fc8ff7142afe7bf093459bd9478e98d23b9c5111471300521ab654600
                                                                                  • Instruction ID: f13e49fca9d4e7f1461727a23679c0c597fb6bb04184d71d8391a413bcc9fb4b
                                                                                  • Opcode Fuzzy Hash: cd15865fc8ff7142afe7bf093459bd9478e98d23b9c5111471300521ab654600
                                                                                  • Instruction Fuzzy Hash: BD210D72E40205AFEB209BF8D84476AB7E9EF84315F14496DEE49D3142FB70CA44CB52
                                                                                  Function 02CD1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD1BAC
                                                                                  • RtlEnterCriticalSection.NTDLL ref: 02CD1BBC
                                                                                  • RtlLeaveCriticalSection.NTDLL ref: 02CD1BEA
                                                                                  • RtlEnterCriticalSection.NTDLL ref: 02CD1C13
                                                                                  • RtlLeaveCriticalSection.NTDLL ref: 02CD1C56
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 1633115879-0
                                                                                  • Opcode ID: 2c4a967bcb0506f7b406b2434ab6c8299d8bdb911d7cab9afabdba6a6a5c6aea
                                                                                  • Instruction ID: e7f05d7f39c962d483abbabc026e8a828116736e6f72bf873689574b90f8da3b
                                                                                  • Opcode Fuzzy Hash: 2c4a967bcb0506f7b406b2434ab6c8299d8bdb911d7cab9afabdba6a6a5c6aea
                                                                                  • Instruction Fuzzy Hash: 8321D1B5900604EFDB14CF68C44479ABBB5FF88310F148589EE0997301DBB0EA15CBE0
                                                                                  Function 02CE3B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 02CE3B64
                                                                                    • Part of subcall function 02CE2FAC: __FF_MSGBANNER.LIBCMT ref: 02CE2FC3
                                                                                    • Part of subcall function 02CE2FAC: __NMSG_WRITE.LIBCMT ref: 02CE2FCA
                                                                                    • Part of subcall function 02CE2FAC: RtlAllocateHeap.NTDLL(00960000,00000000,00000001), ref: 02CE2FEF
                                                                                  • std::exception::exception.LIBCMT ref: 02CE3B82
                                                                                  • __CxxThrowException@8.LIBCMT ref: 02CE3B97
                                                                                    • Part of subcall function 02CE455A: RaiseException.KERNEL32(?,?,02CDFB56,?,?,?,?,?,?,?,02CDFB56,?,02D00F98,?), ref: 02CE45AF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                  • String ID: bad allocation
                                                                                  • API String ID: 3074076210-2104205924
                                                                                  • Opcode ID: 3d06cf4eb94fa2dc415899b76c7419c9a0b37f87a8c8d28fd9dab923f7061982
                                                                                  • Instruction ID: 1ab7c6d656cf53af155b17c7c7a7603acdbb929ffb272eed0456bcd7fa8d6e6a
                                                                                  • Opcode Fuzzy Hash: 3d06cf4eb94fa2dc415899b76c7419c9a0b37f87a8c8d28fd9dab923f7061982
                                                                                  • Instruction Fuzzy Hash: B2E0307090020EA6DF10FEA4DD45AAF7769AB00314F404595DC1667590DB719A14EA91
                                                                                  Function 02CD2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2EEE
                                                                                  • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CD2EFD
                                                                                  • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CD2F0C
                                                                                  • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02CD2F36
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$Socketsetsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 2093263913-0
                                                                                  • Opcode ID: bdc57f8065c302837d7ad0b4d608343ed110a294ddd7ff2a0fa50ec98fdb31f2
                                                                                  • Instruction ID: 116cd3e644f3998a07ddf6971a232c412653d4f8a1ec3d1145c3a1078befb875
                                                                                  • Opcode Fuzzy Hash: bdc57f8065c302837d7ad0b4d608343ed110a294ddd7ff2a0fa50ec98fdb31f2
                                                                                  • Instruction Fuzzy Hash: BF018872A50214FBDB205F65DC48F5ABBA9EB89761F008969FA08DB181D7B18900CBB1
                                                                                  Function 02CD2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CD2D39: WSASetLastError.WS2_32(00000000), ref: 02CD2D47
                                                                                    • Part of subcall function 02CD2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02CD2D5C
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2E6D
                                                                                  • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02CD2E83
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$Sendselect
                                                                                  • String ID: 3'
                                                                                  • API String ID: 2958345159-280543908
                                                                                  • Opcode ID: cabb8d7ade26555a48be856fae9c5df9ee8e8b66b1a2e0194b8ddca25030ad91
                                                                                  • Instruction ID: e42786ae2f1018ba4b849732c6c884bbd0ef1541fdbe188ca46fe8dcc3ca435a
                                                                                  • Opcode Fuzzy Hash: cabb8d7ade26555a48be856fae9c5df9ee8e8b66b1a2e0194b8ddca25030ad91
                                                                                  • Instruction Fuzzy Hash: BD31BEB1E102099FDF10DFB0C8147EE7BAAAF44328F00495ADE0597282E7B19595DFE2
                                                                                  Function 02CD9660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02CD83CA,?,?,00000000), ref: 02CD96C7
                                                                                  • getsockname.WS2_32(?,?,?), ref: 02CD96DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastgetsockname
                                                                                  • String ID: &'
                                                                                  • API String ID: 566540725-655172784
                                                                                  • Opcode ID: 37aee27b4f75a227eb91b9e6c68fdb1c9dc7bfb61577f03f602cc4a335a7280e
                                                                                  • Instruction ID: 3c43814f8955943ed2f6b8aaac00493c6ea2e6057726d1ec7460df6610e604d0
                                                                                  • Opcode Fuzzy Hash: 37aee27b4f75a227eb91b9e6c68fdb1c9dc7bfb61577f03f602cc4a335a7280e
                                                                                  • Instruction Fuzzy Hash: 14216576A00248DBDB50DF68D844ACEF7F5FF4C324F11856AE919EB240E770E9458B90
                                                                                  Function 02CDCD9B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDCDA0
                                                                                    • Part of subcall function 02CDD35E: std::exception::exception.LIBCMT ref: 02CDD38B
                                                                                    • Part of subcall function 02CDDB74: __EH_prolog.LIBCMT ref: 02CDDB79
                                                                                    • Part of subcall function 02CE3B4C: _malloc.LIBCMT ref: 02CE3B64
                                                                                    • Part of subcall function 02CDD3BB: __EH_prolog.LIBCMT ref: 02CDD3C0
                                                                                  Strings
                                                                                  • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02CDCDD6
                                                                                  • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CDCDDD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$_mallocstd::exception::exception
                                                                                  • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                  • API String ID: 1953324306-412195191
                                                                                  • Opcode ID: eab91cef67e7ecd6834079c6b7d3765aeb9ad733d8f344516d52d28e51caec27
                                                                                  • Instruction ID: 3dad74754e972b9d879f377c1d76905202cfa10b89f79aa6905f524cfa50ea4d
                                                                                  • Opcode Fuzzy Hash: eab91cef67e7ecd6834079c6b7d3765aeb9ad733d8f344516d52d28e51caec27
                                                                                  • Instruction Fuzzy Hash: B121B1B1E002489BDB54EFE8D444BEEBBB5EF44704F04449DEA0AAB340DB706A04DF51
                                                                                  Function 02CD2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2AEA
                                                                                  • connect.WS2_32(?,?,?), ref: 02CD2AF5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastconnect
                                                                                  • String ID: 3'
                                                                                  • API String ID: 374722065-280543908
                                                                                  • Opcode ID: 26f032440fe21b005bee3b4a48349014c3790d2eded3ded2b583fce5cc556aea
                                                                                  • Instruction ID: c1fe1afa5fedca08041a783533a3bbeacd3517b325439e06c4b45f47a4ea2d50
                                                                                  • Opcode Fuzzy Hash: 26f032440fe21b005bee3b4a48349014c3790d2eded3ded2b583fce5cc556aea
                                                                                  • Instruction Fuzzy Hash: D221CC75E10104ABDF10EFB4C4146AEFBBAEF44324F004599DE19A7281EBF45A059F91
                                                                                  Function 004025B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID: $Kd$'N!
                                                                                  • API String ID: 3535843008-485235335
                                                                                  • Opcode ID: 0de5fae75cad28beb5efcaf0212e41cb8a38f9c211ebcd3b51ef3542f7ec9f41
                                                                                  • Instruction ID: d523c1cf2d65d8f8af08a6ee2e3a2656b7e9afecb5cfb702f40512fdab0b14b7
                                                                                  • Opcode Fuzzy Hash: 0de5fae75cad28beb5efcaf0212e41cb8a38f9c211ebcd3b51ef3542f7ec9f41
                                                                                  • Instruction Fuzzy Hash: 95F0B475D045409FD3019B74FF92AE5BBE26315331750823AC556A2AA2E235484BCB4D
                                                                                  Function 00402288 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue
                                                                                  • String ID: DP Free Video Converter 10.23.46
                                                                                  • API String ID: 3356406503-2979630242
                                                                                  • Opcode ID: 0bbded4ef4e0399dc4c94e1f369859af2828121ccba2abf1516ab51ba7fadc4c
                                                                                  • Instruction ID: 665eb7c21ef304969811973be035fea4e1376da3730ad96d96d13f6ec8a422fc
                                                                                  • Opcode Fuzzy Hash: 0bbded4ef4e0399dc4c94e1f369859af2828121ccba2abf1516ab51ba7fadc4c
                                                                                  • Instruction Fuzzy Hash: C7D0C222A08002ABC3012BF56F0C42B2210A884359330487BA943F10D0D6FC840B369F
                                                                                  Function 02CD97E7 Relevance: 4.7, APIs: 3, Instructions: 151networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD986B
                                                                                  • getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 02CD9879
                                                                                  • FreeAddrInfoW.WS2_32(?), ref: 02CD99AD
                                                                                    • Part of subcall function 02CD9F4C: __EH_prolog.LIBCMT ref: 02CD9F51
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddrErrorFreeH_prologInfoLastgetaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 927184805-0
                                                                                  • Opcode ID: abd0a1dc0cb5dfc799d4aba2a5f21be33c24ab4de7bcbbb060a1a13924f375e9
                                                                                  • Instruction ID: 352e4970be09d2850c9024b49e61758c4f3f422aaa795554542049ffdd6ac4a9
                                                                                  • Opcode Fuzzy Hash: abd0a1dc0cb5dfc799d4aba2a5f21be33c24ab4de7bcbbb060a1a13924f375e9
                                                                                  • Instruction Fuzzy Hash: F151AA755083419FE320DF24C845B9BFBE9EFC4B14F040A1DEA99972C0CBB09A49CB92
                                                                                  Function 02CD353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 0b2b339bc65dcee790ff04db0663d2596812de191f1ec8da2d423fc6a3964947
                                                                                  • Instruction ID: ec4daa6b629ee79d9e82dc59a076a21208bd628226611733652435ec5dcad623
                                                                                  • Opcode Fuzzy Hash: 0b2b339bc65dcee790ff04db0663d2596812de191f1ec8da2d423fc6a3964947
                                                                                  • Instruction Fuzzy Hash: 3C513CB590524ADFCB08DF68C5506AABBB1FF48320F14819EE9299B381D774DA11CFA1
                                                                                  Function 02CD369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 02CD36A7
                                                                                    • Part of subcall function 02CD2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CD2432
                                                                                    • Part of subcall function 02CD2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CD2445
                                                                                    • Part of subcall function 02CD2420: RtlEnterCriticalSection.NTDLL(?), ref: 02CD2454
                                                                                    • Part of subcall function 02CD2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2469
                                                                                    • Part of subcall function 02CD2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02CD2470
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1601054111-0
                                                                                  • Opcode ID: 241a67c43ccf38544f9e46edd846e07704b3c30240b66bf56da58ea419ef2909
                                                                                  • Instruction ID: 51f3712baa3f58ac3e87215a11e21e3b02cd388787071fe7b9208d2b4d238e4a
                                                                                  • Opcode Fuzzy Hash: 241a67c43ccf38544f9e46edd846e07704b3c30240b66bf56da58ea419ef2909
                                                                                  • Instruction Fuzzy Hash: CD11C1BA100649ABDB219F14CC85FAB3B6AFF80354F104556FF568B290CB34E960DF96
                                                                                  Function 02CE20F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __beginthreadex.LIBCMT ref: 02CE2106
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02CDA980,00000000), ref: 02CE2137
                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02CDA980,00000000), ref: 02CE2145
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandleResumeThread__beginthreadex
                                                                                  • String ID:
                                                                                  • API String ID: 1685284544-0
                                                                                  • Opcode ID: b575049ec7b94318a5464204b0a40480211f4905770554ffef5cb019ac205103
                                                                                  • Instruction ID: 6f8e872207bb71df7bbb0804941b4d0a99b03fbb33b6a5510e5218b91278fc1a
                                                                                  • Opcode Fuzzy Hash: b575049ec7b94318a5464204b0a40480211f4905770554ffef5cb019ac205103
                                                                                  • Instruction Fuzzy Hash: 0BF0C271240200ABEB209F58DC80F95B3EDBF88324F24056AF659C7280C7B1AD969A90
                                                                                  Function 02CD1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedIncrement.KERNEL32(02D072B4), ref: 02CD1ABA
                                                                                  • WSAStartup.WS2_32(00000002,00000000), ref: 02CD1ACB
                                                                                  • InterlockedExchange.KERNEL32(02D072B8,00000000), ref: 02CD1AD7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$ExchangeIncrementStartup
                                                                                  • String ID:
                                                                                  • API String ID: 1856147945-0
                                                                                  • Opcode ID: 52bf3c4bbe06e2d5a6688ca11e7e2ec788f58aaf906e30b9f23cac133d7b5202
                                                                                  • Instruction ID: c0f5763ef59e602e5d753840d16528b92622cc42953c4aa300432c03c1cb748e
                                                                                  • Opcode Fuzzy Hash: 52bf3c4bbe06e2d5a6688ca11e7e2ec788f58aaf906e30b9f23cac133d7b5202
                                                                                  • Instruction Fuzzy Hash: F2D05E319902145FF25077B4AC8EBB8F72CEB09711F000751FE6EC06C0EA506A2C85FA
                                                                                  Function 0040250A Relevance: 4.5, APIs: 3, Instructions: 14timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCommandLineW.KERNEL32 ref: 0040250A
                                                                                  • CommandLineToArgvW.SHELL32(00000000), ref: 0040D0D1
                                                                                  • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CommandLine$ArgvLocalTime
                                                                                  • String ID:
                                                                                  • API String ID: 3768950922-0
                                                                                  • Opcode ID: 79fdd7c6f8f321505323d7bff580fe608d89dcc837478eaa74d7f63b3d9173f1
                                                                                  • Instruction ID: 3f5a5dba030405874057b695dde1c598a552414b8d35a13b674ed59a50cdfdbf
                                                                                  • Opcode Fuzzy Hash: 79fdd7c6f8f321505323d7bff580fe608d89dcc837478eaa74d7f63b3d9173f1
                                                                                  • Instruction Fuzzy Hash: 28D09275C09502EFC3407BE0AF4846A7AA8AB093553214A3FE247F11E0CF7C508B9A6F
                                                                                  Function 0040D071 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: LocalTime
                                                                                  • String ID: (
                                                                                  • API String ID: 481472006-3887548279
                                                                                  • Opcode ID: 9e3c717b7c99ef5f1827067d224456d3e5fab7ebfca9495740bdc9a5cefa0f93
                                                                                  • Instruction ID: f8cce1d4bc18eefacb81c019a65214726b314d631f407f6fb64448b2984f6b2f
                                                                                  • Opcode Fuzzy Hash: 9e3c717b7c99ef5f1827067d224456d3e5fab7ebfca9495740bdc9a5cefa0f93
                                                                                  • Instruction Fuzzy Hash: DB31D130D09245DFCB04CBA4C9946AABBB0FF45314F2481BFC4516B2C9C379A94ADB4A
                                                                                  Function 00402233 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID: DP Free Video Converter 10.23.46
                                                                                  • API String ID: 3535843008-2979630242
                                                                                  • Opcode ID: e11cad3586445836829f7a1121af2bcc1c24de7b9319ad52371e58289bdda97f
                                                                                  • Instruction ID: 8639625f73f70bf8892ffadf4652a31e03bd9cef350b577b46d751e4601a2b28
                                                                                  • Opcode Fuzzy Hash: e11cad3586445836829f7a1121af2bcc1c24de7b9319ad52371e58289bdda97f
                                                                                  • Instruction Fuzzy Hash: 66C08C20C45001B7C3012BD14E0981961247D4470C330403BB602320E1CABC080A6B9F
                                                                                  Function 02CD4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD4BF2
                                                                                    • Part of subcall function 02CD1BA7: __EH_prolog.LIBCMT ref: 02CD1BAC
                                                                                    • Part of subcall function 02CD1BA7: RtlEnterCriticalSection.NTDLL ref: 02CD1BBC
                                                                                    • Part of subcall function 02CD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CD1BEA
                                                                                    • Part of subcall function 02CD1BA7: RtlEnterCriticalSection.NTDLL ref: 02CD1C13
                                                                                    • Part of subcall function 02CD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CD1C56
                                                                                    • Part of subcall function 02CDE0EF: __EH_prolog.LIBCMT ref: 02CDE0F4
                                                                                    • Part of subcall function 02CDE0EF: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CDE173
                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02CD4CF2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                  • String ID:
                                                                                  • API String ID: 1927618982-0
                                                                                  • Opcode ID: 42792ddbfaaf5a9ecbb795ce6a3e4d6bc790073147d02b3f3ac96ab508faff05
                                                                                  • Instruction ID: 62a8a68cb64ff78c0ef1918a7d2347c4589789a1b843ffd4a866c017cd2c62c6
                                                                                  • Opcode Fuzzy Hash: 42792ddbfaaf5a9ecbb795ce6a3e4d6bc790073147d02b3f3ac96ab508faff05
                                                                                  • Instruction Fuzzy Hash: 34512871D04248DFDB15DFA8C884AEEBBB5EF08314F14816AEA09AB351E7709A44DF61
                                                                                  Function 02CD2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD2D47
                                                                                  • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02CD2D5C
                                                                                    • Part of subcall function 02CDA500: WSAGetLastError.WS2_32(00000000,?,?,02CD2A51), ref: 02CDA50E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$Send
                                                                                  • String ID:
                                                                                  • API String ID: 1282938840-0
                                                                                  • Opcode ID: 2926e911be7af9371b96a32eb68b27fa1beac29d89fa40f50a632b0d6c0062ee
                                                                                  • Instruction ID: efa3bfc52eadb565c9d47ed1df396b339ca7d8065b629f6eadde152fff024d91
                                                                                  • Opcode Fuzzy Hash: 2926e911be7af9371b96a32eb68b27fa1beac29d89fa40f50a632b0d6c0062ee
                                                                                  • Instruction Fuzzy Hash: 0E01ACB5900209EFD7205F95C88496BFBEDFF85764B20452EFD5993201EB709D00DBA1
                                                                                  Function 02CE9752 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __calloc_crt
                                                                                  • String ID:
                                                                                  • API String ID: 3494438863-0
                                                                                  • Opcode ID: 125483bcf6ededb313843cf8552fa38f67eeddefa573ffc5f7fe204a7df644ba
                                                                                  • Instruction ID: da9da03641b138dfd0b9f7ba2120c5f6a01b13da884d6971aada4aeda91c17a5
                                                                                  • Opcode Fuzzy Hash: 125483bcf6ededb313843cf8552fa38f67eeddefa573ffc5f7fe204a7df644ba
                                                                                  • Instruction Fuzzy Hash: 56F0FC716887019EFF589E15FC927E27795EB80720F540C1AF102CE398E3708C40A744
                                                                                  Function 02CD83E1 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD83FE
                                                                                  • shutdown.WS2_32(?,00000002), ref: 02CD8407
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastshutdown
                                                                                  • String ID:
                                                                                  • API String ID: 1920494066-0
                                                                                  • Opcode ID: 36731938bf51de79fadc61a0768b276ba9d0a92f214758f257ff1bab7acd7190
                                                                                  • Instruction ID: 72fccaaa79331653440dd16bb56caf4806056cb21ff256184c652d7c80a07990
                                                                                  • Opcode Fuzzy Hash: 36731938bf51de79fadc61a0768b276ba9d0a92f214758f257ff1bab7acd7190
                                                                                  • Instruction Fuzzy Hash: 78F09072A04314CFC7509F58D414B5AB7E5FF48320F014A1CEA5997380E770A801CBA1
                                                                                  Function 00403FF4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                    • Part of subcall function 00403EAC: GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                  • HeapDestroy.KERNEL32 ref: 00404044
                                                                                    • Part of subcall function 004043CB: HeapAlloc.KERNEL32(00000000,00000140,0040402D,000003F8), ref: 004043D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2507506473-0
                                                                                  • Opcode ID: 08e9c7453818299e866e88d70da67c55485919fcfb4e135f4816fa3d6e61eb40
                                                                                  • Instruction ID: b4f27171ca293894694a4990bfc5d7c260993408134cd234969321435d2c18a9
                                                                                  • Opcode Fuzzy Hash: 08e9c7453818299e866e88d70da67c55485919fcfb4e135f4816fa3d6e61eb40
                                                                                  • Instruction Fuzzy Hash: 18F092F0656301DAEB205B71AE4673A39949BC0B86F20443BF740F91E1EF7C8481D60D
                                                                                  Function 00402578 Relevance: 3.0, APIs: 2, Instructions: 22timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CommandLineToArgvW.SHELL32(00000000), ref: 0040D0D1
                                                                                  • GetLocalTime.KERNEL32(0040C2C8), ref: 0040D4C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArgvCommandLineLocalTime
                                                                                  • String ID:
                                                                                  • API String ID: 561774760-0
                                                                                  • Opcode ID: c6f1959fd0e4a5e57e9212950f11b71cbeaa3b1364d0a37361e57c370383f048
                                                                                  • Instruction ID: d9434859a2521f5014afe1b2acdda15a949712a0542376f0925ae5c52f55e38c
                                                                                  • Opcode Fuzzy Hash: c6f1959fd0e4a5e57e9212950f11b71cbeaa3b1364d0a37361e57c370383f048
                                                                                  • Instruction Fuzzy Hash: 01E08631C09203EFC7002FE45E491693AE4AB05391734497BD143F52E0DA7C408B976F
                                                                                  Function 02CD5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD511E
                                                                                    • Part of subcall function 02CD3D7E: htons.WS2_32(?), ref: 02CD3DA2
                                                                                    • Part of subcall function 02CD3D7E: htonl.WS2_32(00000000), ref: 02CD3DB9
                                                                                    • Part of subcall function 02CD3D7E: htonl.WS2_32(00000000), ref: 02CD3DC0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: htonl$H_prologhtons
                                                                                  • String ID:
                                                                                  • API String ID: 4039807196-0
                                                                                  • Opcode ID: 1509bd87b7663e57d8a262f770d8174839cac24356b38d592f14980d816c0f5c
                                                                                  • Instruction ID: e3633406e9f0c5877bf4afddff70785dbbb55ac21b5ce849ecc0d24295b31fce
                                                                                  • Opcode Fuzzy Hash: 1509bd87b7663e57d8a262f770d8174839cac24356b38d592f14980d816c0f5c
                                                                                  • Instruction Fuzzy Hash: 398166B1D0424E8FCF05DFA8D490AEEBBB5EF48314F14819AD914B7240EB365A09CFA0
                                                                                  Function 02CD44AB Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: fe359449fa8a03faf506c517af29428b75fed792ca84d1340bcfe527158de6fd
                                                                                  • Instruction ID: 2fddb41a280be6029417b902ed7a4280d5b7176913484d29d99d8efec2177605
                                                                                  • Opcode Fuzzy Hash: fe359449fa8a03faf506c517af29428b75fed792ca84d1340bcfe527158de6fd
                                                                                  • Instruction Fuzzy Hash: 2C412A7190024AAFCF18DF99C890EEEBBB9EF88314F04416AE605A7240D7759A45DFA1
                                                                                  Function 02CDE9B8 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDE9BD
                                                                                    • Part of subcall function 02CD1A01: TlsGetValue.KERNEL32 ref: 02CD1A0A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prologValue
                                                                                  • String ID:
                                                                                  • API String ID: 3700342317-0
                                                                                  • Opcode ID: 2685245e73f4d816e7cf60d0754489fa7fa7b85a3cbf18f7ee6286fcbce5b6bd
                                                                                  • Instruction ID: e3ab9dea7e239cb1e86b3184b55d86592fb55a8a91fd6fe78a3d8873a54dfb1b
                                                                                  • Opcode Fuzzy Hash: 2685245e73f4d816e7cf60d0754489fa7fa7b85a3cbf18f7ee6286fcbce5b6bd
                                                                                  • Instruction Fuzzy Hash: B22132B190420AAFDB04DFA5D540AFEBBF9FF49314F10811EE619E7240D771AA01DBA1
                                                                                  Function 02D42F9D Relevance: 1.6, APIs: 1, Instructions: 61networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002D0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D0A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2d0a000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Query_
                                                                                  • String ID:
                                                                                  • API String ID: 428220571-0
                                                                                  • Opcode ID: 22a4a6748374cd2c8cba5525c2f80c82c44bc4c8e4d491f05cd65c64cdc3ca73
                                                                                  • Instruction ID: 7256328ce974af22a07c51d201e90fb596c90868a1d474258d2f31708642d6fd
                                                                                  • Opcode Fuzzy Hash: 22a4a6748374cd2c8cba5525c2f80c82c44bc4c8e4d491f05cd65c64cdc3ca73
                                                                                  • Instruction Fuzzy Hash: 281188B251C7149FE3153E18ECC63B9F7E8EB84311F16862DD7C003B08EA34680486C6
                                                                                  Function 02CD33B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02CD33CC
                                                                                    • Part of subcall function 02CD32AB: __EH_prolog.LIBCMT ref: 02CD32B0
                                                                                    • Part of subcall function 02CD32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02CD32C3
                                                                                    • Part of subcall function 02CD32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02CD32EF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                  • String ID:
                                                                                  • API String ID: 1518410164-0
                                                                                  • Opcode ID: 18fa459a50786ec410dd7831fb43fdb1c70e48e7c7f2a6506cff091ca6dccb93
                                                                                  • Instruction ID: a87eceaec025f0c2f2380916a033dd7a1052900e45a27d55955e2eda378d48c0
                                                                                  • Opcode Fuzzy Hash: 18fa459a50786ec410dd7831fb43fdb1c70e48e7c7f2a6506cff091ca6dccb93
                                                                                  • Instruction Fuzzy Hash: 5E018070615606AFD704CF59D885F55BBA9FF84320F10835AEA28872C0EB70E921CFA5
                                                                                  Function 02CDDC88 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CDD3BB: __EH_prolog.LIBCMT ref: 02CDD3C0
                                                                                  • __CxxThrowException@8.LIBCMT ref: 02CDDCA5
                                                                                    • Part of subcall function 02CE455A: RaiseException.KERNEL32(?,?,02CDFB56,?,?,?,?,?,?,?,02CDFB56,?,02D00F98,?), ref: 02CE45AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionException@8H_prologRaiseThrow
                                                                                  • String ID:
                                                                                  • API String ID: 1681477883-0
                                                                                  • Opcode ID: 0c3fd0646f162f4827fd69c78f025b39f9589c9bd4d1d0f902e643c3ceb47039
                                                                                  • Instruction ID: 5d0a118209145592ccf4dea2ddeca9dcab042543ea93c4130a6dc1e9e2bbeff7
                                                                                  • Opcode Fuzzy Hash: 0c3fd0646f162f4827fd69c78f025b39f9589c9bd4d1d0f902e643c3ceb47039
                                                                                  • Instruction Fuzzy Hash: C5F04FB19143086BD618ABEDDC49DAB73EDDF08714B00055DFA0793650EAA5B8048AA2
                                                                                  Function 02CDE548 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDE54D
                                                                                    • Part of subcall function 02CD26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02CD2706
                                                                                    • Part of subcall function 02CD26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02CD272B
                                                                                    • Part of subcall function 02CD26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02CF5B53), ref: 02CD2738
                                                                                    • Part of subcall function 02CD26DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02CD2778
                                                                                    • Part of subcall function 02CD26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02CD27D9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                  • String ID:
                                                                                  • API String ID: 4293676635-0
                                                                                  • Opcode ID: 10aa6dc64e6111911206d08a08fce66e9dec81ea32ad135047af736b702403d5
                                                                                  • Instruction ID: af2f11148e554240193603e4452b7ed986728444136f3a78e401f3d900f62191
                                                                                  • Opcode Fuzzy Hash: 10aa6dc64e6111911206d08a08fce66e9dec81ea32ad135047af736b702403d5
                                                                                  • Instruction Fuzzy Hash: C1019CB5910B049FC398CF1AC64098AFBF5EF88710B15C5AF955A8B721E771AA40CF94
                                                                                  Function 0040217D Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: b581c9ec6ad076559c56b2a4ab5eaaaf284dc3c8b83333fc2c97dbe9134db8f3
                                                                                  • Instruction ID: e745a685359c687d3d825dd480fb543b8200795d3078283e8536241295c4df4a
                                                                                  • Opcode Fuzzy Hash: b581c9ec6ad076559c56b2a4ab5eaaaf284dc3c8b83333fc2c97dbe9134db8f3
                                                                                  • Instruction Fuzzy Hash: 3ED05B32604015D6C7054EF59A4C5EFB7749740349F205473DD07F04C0D3FC954E561A
                                                                                  Function 02CDE327 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDE32C
                                                                                    • Part of subcall function 02CE3B4C: _malloc.LIBCMT ref: 02CE3B64
                                                                                    • Part of subcall function 02CDE548: __EH_prolog.LIBCMT ref: 02CDE54D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 4254904621-0
                                                                                  • Opcode ID: b4957ad04a7722cf0521d6669f8ece7a25542c9e5890d0444f18c7a15df25c40
                                                                                  • Instruction ID: bd141b6e119afe7f60b1d9a24068a0cf043ac48ffc0cc9ddc9dfa8221ab067a3
                                                                                  • Opcode Fuzzy Hash: b4957ad04a7722cf0521d6669f8ece7a25542c9e5890d0444f18c7a15df25c40
                                                                                  • Instruction Fuzzy Hash: 1FE0C2B1A00109ABDF8DEF68D80073EB7A6EB44700F0041ADBA0EE7340EF709A009B04
                                                                                  Function 004022E4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.KERNEL32(?,?,?,00000004), ref: 0040D581
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 4f778c0adb16ede1a4ca5b76b0c10ea9c9676ab3783dd9556ae62bcd3139cde5
                                                                                  • Instruction ID: dcc8cea847f6446324a83dd178a4e23f51a57f1038c77a64d086fe0ae74714e2
                                                                                  • Opcode Fuzzy Hash: 4f778c0adb16ede1a4ca5b76b0c10ea9c9676ab3783dd9556ae62bcd3139cde5
                                                                                  • Instruction Fuzzy Hash: F3D05B75C0C504FECB025BD08D5CEFA7B785708305F1104A3EA55F01D1C275551BAB1E
                                                                                  Function 02CE3452 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CE5C5A: __getptd_noexit.LIBCMT ref: 02CE5C5B
                                                                                    • Part of subcall function 02CE5C5A: __amsg_exit.LIBCMT ref: 02CE5C68
                                                                                    • Part of subcall function 02CE3493: __getptd_noexit.LIBCMT ref: 02CE3497
                                                                                    • Part of subcall function 02CE3493: __freeptd.LIBCMT ref: 02CE34B1
                                                                                    • Part of subcall function 02CE3493: RtlExitUserThread.NTDLL(?,00000000,?,02CE3473,00000000), ref: 02CE34BA
                                                                                  • __XcptFilter.LIBCMT ref: 02CE347F
                                                                                    • Part of subcall function 02CE8D94: __getptd_noexit.LIBCMT ref: 02CE8D98
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                  • String ID:
                                                                                  • API String ID: 1405322794-0
                                                                                  • Opcode ID: 99f24537be80c759145ee6b4e0baee683fbcffec822f5f726c02f424a2dc25a7
                                                                                  • Instruction ID: a39863b699884bdb09a6a129b6566ec80942e7fd314feebd5db60347ea77440a
                                                                                  • Opcode Fuzzy Hash: 99f24537be80c759145ee6b4e0baee683fbcffec822f5f726c02f424a2dc25a7
                                                                                  • Instruction Fuzzy Hash: A2E0ECB1D006019FEF08ABA4DD49F2D7B66AF04301F200188E103AB2B1CA78AD40AE20
                                                                                  Function 0040226E Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.KERNEL32(?,?,?,00000004), ref: 0040D581
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 4bc8af0b065d7724018e3d2740be58c49e874020788429481d8cfb88b6435bb8
                                                                                  • Instruction ID: ba296add1ab31379e2f5866567ce6d2ab2cfac623c015ea47abb187f797129c8
                                                                                  • Opcode Fuzzy Hash: 4bc8af0b065d7724018e3d2740be58c49e874020788429481d8cfb88b6435bb8
                                                                                  • Instruction Fuzzy Hash: 04D0C9B5C08414FEDB065BD08D68FFE77BCA708709F110462EB19F00D0C675961AAB2D
                                                                                  Function 00402226 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 004022A5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: ManagerOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1889721586-0
                                                                                  • Opcode ID: e8a3da72905c62d767eb84e9ace12f9c6a17825d8514f449117044fe92d226cf
                                                                                  • Instruction ID: 47956fe134d5731143f17911134bf59dbe19c6e2bb19c7d730009134aa692a28
                                                                                  • Opcode Fuzzy Hash: e8a3da72905c62d767eb84e9ace12f9c6a17825d8514f449117044fe92d226cf
                                                                                  • Instruction Fuzzy Hash: EFC08C60E4D241FFD7400F901E98E7A296E4747308B7000BFB602B50D1C27C0E19B63B
                                                                                  Function 004025B0 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040DA58
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 90548c06699aa8fc37f1da93349b3a4733607929f86e83d1cdfb7c4b0d0f6a9c
                                                                                  • Instruction ID: d2e94a1fd81d143a8caed6e6f2561a9085186fc54bd78040f27a128b5eff2412
                                                                                  • Opcode Fuzzy Hash: 90548c06699aa8fc37f1da93349b3a4733607929f86e83d1cdfb7c4b0d0f6a9c
                                                                                  • Instruction Fuzzy Hash: 78C08C34A08200EFEB008FA4CD047283AB0BB4A300F204437A802F51C0C3788005AF2B
                                                                                  Function 0040DA4F Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040DA58
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: e16dfb84528085582af71597d27820240446864099083ae331c3024bde16a6e4
                                                                                  • Instruction ID: 0543e769c1d97f0da1ab48d59de83e90b3f07999ad44f840f7705d575156e2ac
                                                                                  • Opcode Fuzzy Hash: e16dfb84528085582af71597d27820240446864099083ae331c3024bde16a6e4
                                                                                  • Instruction Fuzzy Hash: C6C09B34500515DFD750CF24CE4461A7BF8FB4574071104759451F9590F77444008F16
                                                                                  Function 0040DA6A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 4241100979-0
                                                                                  • Opcode ID: 5e36c560f0db67a9206ab9ad6d95b4bf7b1c50aee7ec61d1229267234ea62ad1
                                                                                  • Instruction ID: a4866b39a7b14907811251b91b8666f62be3e501013db82ccb805d59b304f62f
                                                                                  • Opcode Fuzzy Hash: 5e36c560f0db67a9206ab9ad6d95b4bf7b1c50aee7ec61d1229267234ea62ad1
                                                                                  • Instruction Fuzzy Hash: B5900272555104D7D20027505B1D9153524621478132184376342B10E189BA0446561E
                                                                                  Function 0040D2DE Relevance: 1.5, APIs: 1, Instructions: 3fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 8f61d71760b1dbf0d2d9c5b596183bb2bc902733f1f1c518c8739277dbaeef03
                                                                                  • Instruction ID: 9404b61aa083f4cc3f9f57f7c80817678283e0786cda9d02961357aea8e710f0
                                                                                  • Opcode Fuzzy Hash: 8f61d71760b1dbf0d2d9c5b596183bb2bc902733f1f1c518c8739277dbaeef03
                                                                                  • Instruction Fuzzy Hash: C0900230204101AAD2051A616B4C61527A855046C131548BD6447E0090DA75804DA519
                                                                                  Function 0040D55D Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 23e13bad12cc4312ae4e689cff765f6d33ca2701922950b2d74ab2b66f52cf4a
                                                                                  • Instruction ID: 7fde95aea6abf51c63e6d9fb495bcc73d4580668db3123e9495ce381747cb54f
                                                                                  • Opcode Fuzzy Hash: 23e13bad12cc4312ae4e689cff765f6d33ca2701922950b2d74ab2b66f52cf4a
                                                                                  • Instruction Fuzzy Hash: 879002253045119AE2515A215B0C215255C6504649711453D5647E0090EA748005591D
                                                                                  Function 02D60DE5 Relevance: 1.4, APIs: 1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNEL32(4CF334AB), ref: 02D6679D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002D0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D0A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2d0a000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 4d86ccb1e1c9019f6af3876574d89207b5d57c9a45e2efcc58f228114f7c4e6e
                                                                                  • Instruction ID: 249ed570d8a47570733e18f4e1ca2cad6cc9778ba3fc67536a17b44fe84162c1
                                                                                  • Opcode Fuzzy Hash: 4d86ccb1e1c9019f6af3876574d89207b5d57c9a45e2efcc58f228114f7c4e6e
                                                                                  • Instruction Fuzzy Hash: 743152F251C614AFD314AF09EC81BBAFBE9EF88760F16492DE2C9C3740D63598408796
                                                                                  Function 02D16FC1 Relevance: 1.3, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002D0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D0A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2d0a000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 793d0432c5f99cc2dfdc5fc727813c4df9d5dc8371a46477c3905574156fa40f
                                                                                  • Instruction ID: fedef406438161b841dd707df34ffc11b29b8cf8586292b2b3adb7b1ba423d0c
                                                                                  • Opcode Fuzzy Hash: 793d0432c5f99cc2dfdc5fc727813c4df9d5dc8371a46477c3905574156fa40f
                                                                                  • Instruction Fuzzy Hash: 38218EF250C608AFE7097E68DC857BAB7E4EF45714F06492DD7E183740FA759800868B
                                                                                  Function 02CE2160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CE1610: OpenEventA.KERNEL32(00100002,00000000,00000000,F7EA2C26), ref: 02CE16B0
                                                                                    • Part of subcall function 02CE1610: CloseHandle.KERNEL32(00000000), ref: 02CE16C5
                                                                                    • Part of subcall function 02CE1610: ResetEvent.KERNEL32(00000000,F7EA2C26), ref: 02CE16CF
                                                                                    • Part of subcall function 02CE1610: CloseHandle.KERNEL32(00000000,F7EA2C26), ref: 02CE1704
                                                                                  • TlsSetValue.KERNEL32(0000002C,?), ref: 02CE21AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandle$OpenResetValue
                                                                                  • String ID:
                                                                                  • API String ID: 1556185888-0
                                                                                  • Opcode ID: d65d692a78fc221cd3800589fd62c7fdbb505db3e6cd7be019247b988679948f
                                                                                  • Instruction ID: cb38118550cfa3f6d3ecc6ad642001b5f40a6bca659492f9932462dd90928eb4
                                                                                  • Opcode Fuzzy Hash: d65d692a78fc221cd3800589fd62c7fdbb505db3e6cd7be019247b988679948f
                                                                                  • Instruction Fuzzy Hash: DA018F71A40204ABDB50CF59DC45F5EBBACEB05671F144B6AF82AD3790D771AD208AA0
                                                                                  Function 00402548 Relevance: 1.3, APIs: 1, Instructions: 27stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 1586166983-0
                                                                                  • Opcode ID: 37c1d576725e5d351fceb652e50cd1c7fda80370e0766faedd04eeef45e5109a
                                                                                  • Instruction ID: 709c12d47af33d4e9367b365709c97b23c5db57cced82245988bf8ec8e29679b
                                                                                  • Opcode Fuzzy Hash: 37c1d576725e5d351fceb652e50cd1c7fda80370e0766faedd04eeef45e5109a
                                                                                  • Instruction Fuzzy Hash: 6FE0E578E08105EAEB009BB08A5CA7E7770AB04301B30443BE402F21C1D7BC5A49EA6E
                                                                                  Function 004026B3 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: b9f4f889030f6a35e7a7f52809c84b250efb9cf9c7e81a86eb28522853681f22
                                                                                  • Instruction ID: 95d04400815f56f40a1625732c9235604e9ad66041e9273a02643cb9b06007f7
                                                                                  • Opcode Fuzzy Hash: b9f4f889030f6a35e7a7f52809c84b250efb9cf9c7e81a86eb28522853681f22
                                                                                  • Instruction Fuzzy Hash: 74C01236D48201C6D2082BD0AA5AB3426B0B700B11F30223FE60B388D04A7D008F3A0F
                                                                                  Function 0040D329 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: fd868d98e1fac352fd7d86362565ba4217494021be97be668870d71c91581728
                                                                                  • Instruction ID: 5b0f1ed3ac936a949f32853904c9cd573e4351d52c9eceb913d16ebb6ae8ff5b
                                                                                  • Opcode Fuzzy Hash: fd868d98e1fac352fd7d86362565ba4217494021be97be668870d71c91581728
                                                                                  • Instruction Fuzzy Hash: 3DC01230E48601C5D21427E06A89B383930B710304F360A3BE127B08E58A7D004A296F
                                                                                  Function 0040D725 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 5932ed07017ae2883e90f8ef0442608ae23eebb9f43d6ad213e26fa2fa9c05e2
                                                                                  • Instruction ID: 2295f1a1732221d7af1473f6025837760cc15e33fa39321e13424466bcd1ae3c
                                                                                  • Opcode Fuzzy Hash: 5932ed07017ae2883e90f8ef0442608ae23eebb9f43d6ad213e26fa2fa9c05e2
                                                                                  • Instruction Fuzzy Hash: 3DC09236E8C701EAD2082BE0AE59B307670B705702F21123BA757B48E0C6B8004B6E5F
                                                                                  Function 0040285D Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 1b15124d59667ce479508173c201d54ced0e9a54cc92e8f94e91789baa787c1e
                                                                                  • Instruction ID: e3614144fbd55de147374caa9377d53d20459618a9c0fafb76635702dfb606e6
                                                                                  • Opcode Fuzzy Hash: 1b15124d59667ce479508173c201d54ced0e9a54cc92e8f94e91789baa787c1e
                                                                                  • Instruction Fuzzy Hash: CEB09272C48D10A7D2052BE06E0AF6A3A20BB09308F15403BB602340E19ABE112EA68F
                                                                                  Function 004022BD Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000), ref: 0040D535
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 74ba6b4c916adb1b8af38cbc566768984446bcaaa87c964e79903d64882ed78b
                                                                                  • Instruction ID: a6fe6406c7767f28a491a57c93b634e325ae1cbce7dba49ca03fab76836cf99e
                                                                                  • Opcode Fuzzy Hash: 74ba6b4c916adb1b8af38cbc566768984446bcaaa87c964e79903d64882ed78b
                                                                                  • Instruction Fuzzy Hash: B0B0123B404501FFC70017B15F08B9036507B1C784F5145369E47F32D0A67C886DE65B

                                                                                  Non-executed Functions

                                                                                  Function 02CE08C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CD9AD0: __EH_prolog.LIBCMT ref: 02CD9AD5
                                                                                    • Part of subcall function 02CD9AD0: _Allocate.LIBCPMT ref: 02CD9B2C
                                                                                    • Part of subcall function 02CD9AD0: _memmove.LIBCMT ref: 02CD9B83
                                                                                  • _memset.LIBCMT ref: 02CE0939
                                                                                  • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02CE09A2
                                                                                  • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02CE09AA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                  • String ID: Unknown error$invalid string position
                                                                                  • API String ID: 1854462395-1837348584
                                                                                  • Opcode ID: 1ca5ff44c99d5e3a5964f7cef018e3f160b41d0594e08aaba9e85feedc34fe00
                                                                                  • Instruction ID: 82b6ddec68a41df273d8352a2b561f5149b58f748adf0214ba25fc1be200008d
                                                                                  • Opcode Fuzzy Hash: 1ca5ff44c99d5e3a5964f7cef018e3f160b41d0594e08aaba9e85feedc34fe00
                                                                                  • Instruction Fuzzy Hash: 5551AB707483419FEB14DF24C890B2FBBE4BB98344F50092DE592A7691D7B1E688CB92
                                                                                  Function 02CE9528 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02CE4E96,?,?,?,00000001), ref: 02CE952D
                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02CE9536
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: a9532365afa901b5e52596b5ed03792bf75e15adf32a285a39aa1f608dce2087
                                                                                  • Instruction ID: f2e28e4719d4137b23d4420961a39b35a3bdfe1fcb9141f2952ad8ac6d8e39d7
                                                                                  • Opcode Fuzzy Hash: a9532365afa901b5e52596b5ed03792bf75e15adf32a285a39aa1f608dce2087
                                                                                  • Instruction Fuzzy Hash: 5BB09231484208FBCB812B91EC0DB89BF28EF04662F004910F70E448508BA254249AE5
                                                                                  Function 0040288A Relevance: 1.5, APIs: 1, Instructions: 12serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateService
                                                                                  • String ID:
                                                                                  • API String ID: 1592570254-0
                                                                                  • Opcode ID: a533ed5cb4deeb624906b2a1256d05ee8d8e029bf80f35c1921ad53e8eb8863a
                                                                                  • Instruction ID: 5c46d02d66149211dacf4bcdb42a7dff4f784cb9f386e18728482ee67ab8ead1
                                                                                  • Opcode Fuzzy Hash: a533ed5cb4deeb624906b2a1256d05ee8d8e029bf80f35c1921ad53e8eb8863a
                                                                                  • Instruction Fuzzy Hash: A6D0C97084D181EECF129F906E548693B35571131536690BBD452BA0E2C6389E4EB72E
                                                                                  Function 004025AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040D640
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: CtrlDispatcherServiceStart
                                                                                  • String ID:
                                                                                  • API String ID: 3789849863-0
                                                                                  • Opcode ID: 1a9891638571a522d5843b989beb35e665980d528a5847c2a7ac3683f1b51f8a
                                                                                  • Instruction ID: d45d1fb4da31336c1291b8839045fd2fe58d83eeafea799170630f4221374478
                                                                                  • Opcode Fuzzy Hash: 1a9891638571a522d5843b989beb35e665980d528a5847c2a7ac3683f1b51f8a
                                                                                  • Instruction Fuzzy Hash: DEA0016580C212DAC2442A905A2D4762A1CBA4E35A7219937524FB00D18A7A018E792F
                                                                                  Function 02CD24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD24E6
                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02CD24FC
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD250E
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD256D
                                                                                  • SetLastError.KERNEL32(00000000,?,771ADFB0), ref: 02CD257F
                                                                                  • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,771ADFB0), ref: 02CD2599
                                                                                  • GetLastError.KERNEL32(?,771ADFB0), ref: 02CD25A2
                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CD25F0
                                                                                  • InterlockedDecrement.KERNEL32(00000002), ref: 02CD262F
                                                                                  • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02CD268E
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD2699
                                                                                  • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02CD26AD
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,771ADFB0), ref: 02CD26BD
                                                                                  • GetLastError.KERNEL32(?,771ADFB0), ref: 02CD26C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                  • String ID:
                                                                                  • API String ID: 1213838671-0
                                                                                  • Opcode ID: 87d0574ecf124894b14703a2d21387bfc47a21d8913dd62be8402f7eabc3803c
                                                                                  • Instruction ID: 2bbaaf0c3c7e95bb404c2e8abaa435070a65005a2a2cd605f949fd1746b68db9
                                                                                  • Opcode Fuzzy Hash: 87d0574ecf124894b14703a2d21387bfc47a21d8913dd62be8402f7eabc3803c
                                                                                  • Instruction Fuzzy Hash: 92615071900209EFCB50DFA4C584AAEFBF9FF48314F10456AEA06E3641E730AA15CFA1
                                                                                  Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegisterServiceCtrlHandlerA.ADVAPI32(DP Free Video Converter 10.23.46,Function_0000235E), ref: 004023C1
                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 00402420
                                                                                  • GetLastError.KERNEL32 ref: 00402422
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                  • GetLastError.KERNEL32 ref: 00402450
                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 00402480
                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                  • CloseHandle.KERNEL32 ref: 004024A1
                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 004024CA
                                                                                  Strings
                                                                                  • DP Free Video Converter 10.23.46, xrefs: 004023BC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                  • String ID: DP Free Video Converter 10.23.46
                                                                                  • API String ID: 3346042915-2979630242
                                                                                  • Opcode ID: a33a88bcd344c7b05522ef3558d6f8ef27db93ab9a014718f3415c66aa7e6372
                                                                                  • Instruction ID: a4e8b04a7880d9e6a7542b7f05909ed80d982c166c2c741b280d8a2201be7661
                                                                                  • Opcode Fuzzy Hash: a33a88bcd344c7b05522ef3558d6f8ef27db93ab9a014718f3415c66aa7e6372
                                                                                  • Instruction Fuzzy Hash: 94210770401214EBD2105F26EFE9A6A7EBCFBC9754751423EE544B22B1CBB90409CF6C
                                                                                  Function 02CE8333 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlDecodePointer.NTDLL(?), ref: 02CE833B
                                                                                  • _free.LIBCMT ref: 02CE8354
                                                                                    • Part of subcall function 02CE2F74: HeapFree.KERNEL32(00000000,00000000,?,02CE5CD2,00000000,00000104,771B0A60), ref: 02CE2F88
                                                                                    • Part of subcall function 02CE2F74: GetLastError.KERNEL32(00000000,?,02CE5CD2,00000000,00000104,771B0A60), ref: 02CE2F9A
                                                                                  • _free.LIBCMT ref: 02CE8367
                                                                                  • _free.LIBCMT ref: 02CE8385
                                                                                  • _free.LIBCMT ref: 02CE8397
                                                                                  • _free.LIBCMT ref: 02CE83A8
                                                                                  • _free.LIBCMT ref: 02CE83B3
                                                                                  • _free.LIBCMT ref: 02CE83D7
                                                                                  • RtlEncodePointer.NTDLL(0097E5D8), ref: 02CE83DE
                                                                                  • _free.LIBCMT ref: 02CE83F3
                                                                                  • _free.LIBCMT ref: 02CE8409
                                                                                  • _free.LIBCMT ref: 02CE8431
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 3064303923-0
                                                                                  • Opcode ID: 1f7d01d93f44360396fdbb0c4b2db06f156983fbfe0f5d218d3a3f8559809676
                                                                                  • Instruction ID: bb335de52072cc8be1f3db1b7efd1c96d3ff48f052dd83d9a7d6c0494be0a103
                                                                                  • Opcode Fuzzy Hash: 1f7d01d93f44360396fdbb0c4b2db06f156983fbfe0f5d218d3a3f8559809676
                                                                                  • Instruction Fuzzy Hash: 4B216F32D813208BDF255F54F8C0B197769AB443203294A29E94A973B8CB31DD649FD2
                                                                                  Function 00403BA2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BBD
                                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BD1
                                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BFD
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C35
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C57
                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C70
                                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403C83
                                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403CC1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                  • String ID: 4/@
                                                                                  • API String ID: 1823725401-3101945251
                                                                                  • Opcode ID: d9715bb2eede60a638f1d74c058d24820e2373c7ec377b00e43f1c9955f93e2e
                                                                                  • Instruction ID: ec105e457700c611f8eb12c376b06bfccf377757ee58bbe9ab1174d08032451d
                                                                                  • Opcode Fuzzy Hash: d9715bb2eede60a638f1d74c058d24820e2373c7ec377b00e43f1c9955f93e2e
                                                                                  • Instruction Fuzzy Hash: 4331F27351C1245EE7202F785DC883B7E9CEA4634AB11093FF942F3380EA798E81466D
                                                                                  Function 02CD3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD3428
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02CD346B
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02CD3472
                                                                                  • GetLastError.KERNEL32 ref: 02CD3486
                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02CD34D7
                                                                                  • RtlEnterCriticalSection.NTDLL(00000018), ref: 02CD34ED
                                                                                  • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02CD3518
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                  • String ID: CancelIoEx$KERNEL32
                                                                                  • API String ID: 2902213904-434325024
                                                                                  • Opcode ID: ef18c39159e668a26094617f5ae3aed01ea5d07149dd09c86485a3f70cf5707a
                                                                                  • Instruction ID: 5a378afc81194b76e70e6b4cb4e6c201dbc8c6f79930968da83e507b7af40890
                                                                                  • Opcode Fuzzy Hash: ef18c39159e668a26094617f5ae3aed01ea5d07149dd09c86485a3f70cf5707a
                                                                                  • Instruction Fuzzy Hash: DA319271900245DFDB01DF64C84476ABBF9FF48314F004999EA06AB341D7B4D911CFA2
                                                                                  Function 00406578 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404381,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 0040658A
                                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065A2
                                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065B3
                                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004065C0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                  • API String ID: 2238633743-4044615076
                                                                                  • Opcode ID: a0b46ec352b875195395f46d5bc267ff39082988a2927e7e8ea907aadebae93b
                                                                                  • Instruction ID: a9d780b885e0602dd0934733115970cade34e3288e29060c7522bfbf4f1c42d3
                                                                                  • Opcode Fuzzy Hash: a0b46ec352b875195395f46d5bc267ff39082988a2927e7e8ea907aadebae93b
                                                                                  • Instruction Fuzzy Hash: 2C017571600201FBCB219FB5AFC096F3AE89B58690306193FB541F2291DE79C8159B68
                                                                                  Function 00406857 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406899
                                                                                  • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004068B5
                                                                                  • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00406317,?,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 004068FE
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406936
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 0040698E
                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406317,00200020,00000000,?,00000000), ref: 004069A4
                                                                                  • LCMapStringW.KERNEL32(00000000,?,00406317,00000000,00406317,?,?,00406317,00200020,00000000,?,00000000), ref: 004069D7
                                                                                  • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 00406A3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$ByteCharMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 352835431-0
                                                                                  • Opcode ID: 52b028058ca06a0f0bdecd6ae8d0fbaa349513228d1b77f69a1be679ce9dbea8
                                                                                  • Instruction ID: bfa2f6765d0c2f53a291dd63aa28e0fd85931859619bb502a825e5ecf84f9822
                                                                                  • Opcode Fuzzy Hash: 52b028058ca06a0f0bdecd6ae8d0fbaa349513228d1b77f69a1be679ce9dbea8
                                                                                  • Instruction Fuzzy Hash: CD519B71500209EBCF219F94CD45EAF7BB5FB49714F12413AF912B12A0C73A8C61DB69
                                                                                  Function 0040425D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004042CA
                                                                                  • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004043A0
                                                                                  • WriteFile.KERNEL32(00000000), ref: 004043A7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$HandleModuleNameWrite
                                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                  • API String ID: 3784150691-4022980321
                                                                                  • Opcode ID: bf8ad28efb64001b192f00e491ef6ce2a650ba3783efa5faa4453eb733959f53
                                                                                  • Instruction ID: 020781dd2a094c50b4544603966d85f7b47e7f329bf5b07b80a87356522084c7
                                                                                  • Opcode Fuzzy Hash: bf8ad28efb64001b192f00e491ef6ce2a650ba3783efa5faa4453eb733959f53
                                                                                  • Instruction Fuzzy Hash: 7D318772600218AFDF2096609E45F9A736DAF85304F1004BFF984B61D1EA789D458A5D
                                                                                  Function 02CE1610 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenEventA.KERNEL32(00100002,00000000,00000000,F7EA2C26), ref: 02CE16B0
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CE16C5
                                                                                  • ResetEvent.KERNEL32(00000000,F7EA2C26), ref: 02CE16CF
                                                                                  • CloseHandle.KERNEL32(00000000,F7EA2C26), ref: 02CE1704
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F7EA2C26), ref: 02CE177A
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CE178F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandle$CreateOpenReset
                                                                                  • String ID:
                                                                                  • API String ID: 1285874450-0
                                                                                  • Opcode ID: 537e16a8f7de98db6003d1a9fcdc31cc13e8fb6260516eb75ad5d947c0ca7897
                                                                                  • Instruction ID: 8a23c9b11a678e8cee5dec1d04d694f952dcef43eb56cea73fd7a0a9f73c4767
                                                                                  • Opcode Fuzzy Hash: 537e16a8f7de98db6003d1a9fcdc31cc13e8fb6260516eb75ad5d947c0ca7897
                                                                                  • Instruction Fuzzy Hash: 19413F71D04358ABDF20CFA5C849BADBBB8EF45724F184619E81AEB280D7709E15CB90
                                                                                  Function 02CD2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD20AC
                                                                                  • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02CD20CD
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD20D8
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 02CD213E
                                                                                  • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02CD217A
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 02CD2187
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD21A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1171374749-0
                                                                                  • Opcode ID: b3f83f876b7523de9f76e95da816e1a30238cd6959c7d6e590c9c51e042acefd
                                                                                  • Instruction ID: 492e784cf846095bbb1ea1b49d22871095e513b3a018dbcc78dee57c7cf273c2
                                                                                  • Opcode Fuzzy Hash: b3f83f876b7523de9f76e95da816e1a30238cd6959c7d6e590c9c51e042acefd
                                                                                  • Instruction Fuzzy Hash: 444137715047019FC321DF25D884A6BBBF9FFC8654F104A1EFA9A82651DB30E909DFA2
                                                                                  Function 02CE1722 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CE1ED0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02CE172E,?,?), ref: 02CE1EFF
                                                                                    • Part of subcall function 02CE1ED0: CloseHandle.KERNEL32(00000000,?,?,02CE172E,?,?), ref: 02CE1F14
                                                                                    • Part of subcall function 02CE1ED0: SetEvent.KERNEL32(00000000,02CE172E,?,?), ref: 02CE1F27
                                                                                  • OpenEventA.KERNEL32(00100002,00000000,00000000,F7EA2C26), ref: 02CE16B0
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CE16C5
                                                                                  • ResetEvent.KERNEL32(00000000,F7EA2C26), ref: 02CE16CF
                                                                                  • CloseHandle.KERNEL32(00000000,F7EA2C26), ref: 02CE1704
                                                                                  • __CxxThrowException@8.LIBCMT ref: 02CE1735
                                                                                    • Part of subcall function 02CE455A: RaiseException.KERNEL32(?,?,02CDFB56,?,?,?,?,?,?,?,02CDFB56,?,02D00F98,?), ref: 02CE45AF
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F7EA2C26), ref: 02CE177A
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CE178F
                                                                                    • Part of subcall function 02CE1C10: GetCurrentProcessId.KERNEL32(?), ref: 02CE1C69
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,F7EA2C26), ref: 02CE179F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                  • String ID:
                                                                                  • API String ID: 2227236058-0
                                                                                  • Opcode ID: b6580782afcc07fb63d173cec314b3aeed2e70b7d86cbd089005b0821144f4f6
                                                                                  • Instruction ID: 21d905a2bccf7fa2d2cc617d4dd4d85290b3b80d24160344a60c442e748a57e8
                                                                                  • Opcode Fuzzy Hash: b6580782afcc07fb63d173cec314b3aeed2e70b7d86cbd089005b0821144f4f6
                                                                                  • Instruction Fuzzy Hash: BF316171D003489BDF20DBA4CC45BADB7B9EF45724F184119E81EEB280D7B09E25CB61
                                                                                  Function 02CE5D94 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __init_pointers.LIBCMT ref: 02CE5D94
                                                                                    • Part of subcall function 02CE8503: RtlEncodePointer.NTDLL(00000000), ref: 02CE8506
                                                                                    • Part of subcall function 02CE8503: __initp_misc_winsig.LIBCMT ref: 02CE8521
                                                                                    • Part of subcall function 02CE8503: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D01598,00000008,00000003,02D00F7C,?,00000001), ref: 02CE9281
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02CE9295
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02CE92A8
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02CE92BB
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02CE92CE
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02CE92E1
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02CE92F4
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02CE9307
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02CE931A
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02CE932D
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02CE9340
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02CE9353
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02CE9366
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02CE9379
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02CE938C
                                                                                    • Part of subcall function 02CE8503: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02CE939F
                                                                                  • __mtinitlocks.LIBCMT ref: 02CE5D99
                                                                                  • __mtterm.LIBCMT ref: 02CE5DA2
                                                                                    • Part of subcall function 02CE5E0A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02CE8939
                                                                                    • Part of subcall function 02CE5E0A: _free.LIBCMT ref: 02CE8940
                                                                                    • Part of subcall function 02CE5E0A: RtlDeleteCriticalSection.NTDLL(02D03978), ref: 02CE8962
                                                                                  • __calloc_crt.LIBCMT ref: 02CE5DC7
                                                                                  • __initptd.LIBCMT ref: 02CE5DE9
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02CE5DF0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                  • String ID:
                                                                                  • API String ID: 3567560977-0
                                                                                  • Opcode ID: 506f80041b5d00ac866ff3685d8486a5f2320cf7c4fe4a6247749565ccbe9d50
                                                                                  • Instruction ID: a7c43d7ccaceeafe78b39b3a689359dfc2222b6e5761f80d945dd61cf1d83f2f
                                                                                  • Opcode Fuzzy Hash: 506f80041b5d00ac866ff3685d8486a5f2320cf7c4fe4a6247749565ccbe9d50
                                                                                  • Instruction Fuzzy Hash: 58F024326583511EFE7876357C8978F37829F017B8B600719E027D60E4FF25CA016980
                                                                                  Function 02CE34C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02CE3473,00000000), ref: 02CE34DB
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02CE34E2
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02CE34EE
                                                                                  • RtlDecodePointer.NTDLL(00000001), ref: 02CE350B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                  • String ID: RoInitialize$combase.dll
                                                                                  • API String ID: 3489934621-340411864
                                                                                  • Opcode ID: dd4a3da5c5d3946e08f2f7e5eae0e61c01d3d24396160306d620ef4a5199b709
                                                                                  • Instruction ID: 5b7311727fd4d880f359d94d3b430dfabfcd5613b81af5ae6d17397c731bc957
                                                                                  • Opcode Fuzzy Hash: dd4a3da5c5d3946e08f2f7e5eae0e61c01d3d24396160306d620ef4a5199b709
                                                                                  • Instruction Fuzzy Hash: 66E0ED70ED0340ABFE901B71EC49F163B69A740702F108964B606D6294D7B5957C8F50
                                                                                  Function 02CE3596 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02CE34B0), ref: 02CE35B0
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02CE35B7
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02CE35C2
                                                                                  • RtlDecodePointer.NTDLL(02CE34B0), ref: 02CE35DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                  • API String ID: 3489934621-2819208100
                                                                                  • Opcode ID: fa28d74a6e42dff73951b407b4b42125f95427da94eaa25aae0c95a4daca6b14
                                                                                  • Instruction ID: 2bd1f01a37e961e026eb0c065d5557b81697a4f948617a533940bbacc7b27381
                                                                                  • Opcode Fuzzy Hash: fa28d74a6e42dff73951b407b4b42125f95427da94eaa25aae0c95a4daca6b14
                                                                                  • Instruction Fuzzy Hash: 1FE09A70ED1304ABEA905F60AD4EB167779B740705F208968F306923A8DB759538CA50
                                                                                  Function 02CE1F30 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsGetValue.KERNEL32(0000002C,F7EA2C26,?,?,?,?,00000000,02CF6AB8,000000FF,02CE21CA), ref: 02CE1F6A
                                                                                  • TlsSetValue.KERNEL32(0000002C,02CE21CA,?,?,00000000), ref: 02CE1FD7
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02CE2001
                                                                                  • HeapFree.KERNEL32(00000000), ref: 02CE2004
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: HeapValue$FreeProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1812714009-0
                                                                                  • Opcode ID: 5028075e5a9e41b7fd88130b15c1e7fa2558634df27f485ffae22dea0c272e7e
                                                                                  • Instruction ID: 4878b2193b3eb5a1cad3b131989c221b6a2611ae8920325f86c10e4754d4382e
                                                                                  • Opcode Fuzzy Hash: 5028075e5a9e41b7fd88130b15c1e7fa2558634df27f485ffae22dea0c272e7e
                                                                                  • Instruction Fuzzy Hash: 71519C319043049FDB20CF29C844B1ABBE9EF88664F098A59E85A972D4D771AD14CBD2
                                                                                  Function 02CF5680 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _ValidateScopeTableHandlers.LIBCMT ref: 02CF5790
                                                                                  • __FindPESection.LIBCMT ref: 02CF57AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FindHandlersScopeSectionTableValidate
                                                                                  • String ID:
                                                                                  • API String ID: 876702719-0
                                                                                  • Opcode ID: 14a0e570359b2a96e97f4936b182a32853e2d88d9f64437ab260cf9272640050
                                                                                  • Instruction ID: 848b561355741b30adb57edbc35274e64c438b0f9af05929d543ac2443c82e13
                                                                                  • Opcode Fuzzy Hash: 14a0e570359b2a96e97f4936b182a32853e2d88d9f64437ab260cf9272640050
                                                                                  • Instruction Fuzzy Hash: 96A1F271E407158FDBA4CF29C88479DB7A5EB883A4F954629DF15AB391E330EE01CB90
                                                                                  Function 0040670E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040674D
                                                                                  • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 00406767
                                                                                  • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040679B
                                                                                  • MultiByteToWideChar.KERNEL32(00406317,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004067D3
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406829
                                                                                  • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040683B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: StringType$ByteCharMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 3852931651-0
                                                                                  • Opcode ID: 773bae316822cb58e3f9949346ace8707e6d4ebf412f3a77ab6d13d65b0a9b3b
                                                                                  • Instruction ID: 8ac2037c816029e642a9b4ec2df7aab8045e17b8c7d4a01b19cad4fbac0790f4
                                                                                  • Opcode Fuzzy Hash: 773bae316822cb58e3f9949346ace8707e6d4ebf412f3a77ab6d13d65b0a9b3b
                                                                                  • Instruction Fuzzy Hash: 6D418D72501209EFCF209F94CD85EAF3B79FB04714F11453AF912B2290D73989618BA9
                                                                                  Function 02CD1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02CD1CB1
                                                                                  • CloseHandle.KERNEL32(?), ref: 02CD1CBA
                                                                                  • InterlockedExchangeAdd.KERNEL32(02D0727C,00000000), ref: 02CD1CC6
                                                                                  • TerminateThread.KERNEL32(?,00000000), ref: 02CD1CD4
                                                                                  • QueueUserAPC.KERNEL32(02CD1E7C,?,00000000), ref: 02CD1CE1
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02CD1CEC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 1946104331-0
                                                                                  • Opcode ID: 2cc07e68dff344dead2c536b4dd4f3582872fb58362776f754b50d38211b334d
                                                                                  • Instruction ID: 19888f68717f0c73e3baa541c2e4ed7768195b3f100f9ba4878f861a458d0ae9
                                                                                  • Opcode Fuzzy Hash: 2cc07e68dff344dead2c536b4dd4f3582872fb58362776f754b50d38211b334d
                                                                                  • Instruction Fuzzy Hash: 70F08131540214BFEB105BA6ED0DE57FBBCEF89720B004759F62AC2590DBA06914CBA0
                                                                                  Function 00403EAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F00
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F60
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                  • API String ID: 1385375860-4131005785
                                                                                  • Opcode ID: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                  • Instruction ID: b9728f854654bad712525c43123df79641ae2587965f18a3091eb02ea7af310c
                                                                                  • Opcode Fuzzy Hash: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                  • Instruction Fuzzy Hash: 42312771D002896DEB319A309C45BDA7F7C9B12309F2400FBE545F52C2D6398F8A8718
                                                                                  Function 02CE1930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::exception::exception.LIBCMT ref: 02CE197F
                                                                                    • Part of subcall function 02CE24D3: std::exception::_Copy_str.LIBCMT ref: 02CE24EC
                                                                                    • Part of subcall function 02CE0D50: __CxxThrowException@8.LIBCMT ref: 02CE0DAE
                                                                                  • std::exception::exception.LIBCMT ref: 02CE19DE
                                                                                  Strings
                                                                                  • $, xrefs: 02CE19E3
                                                                                  • boost unique_lock owns already the mutex, xrefs: 02CE19CD
                                                                                  • boost unique_lock has no mutex, xrefs: 02CE196E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                  • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                  • API String ID: 2140441600-46888669
                                                                                  • Opcode ID: 2435109f32f825f361d0696a2ecc1272502a8ca4ff075081072754dc6e8083e2
                                                                                  • Instruction ID: aaa6d93f8eb03d17e33b220996d0cdaa084963c4c7133d8676bf83e66c17d6f9
                                                                                  • Opcode Fuzzy Hash: 2435109f32f825f361d0696a2ecc1272502a8ca4ff075081072754dc6e8083e2
                                                                                  • Instruction Fuzzy Hash: C62104B15083809FDB90DF24C544B5BBBE9BF88708F004A5EF4A687290D7B5A908CF92
                                                                                  Function 02CE4A7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd_noexit.LIBCMT ref: 02CE4A80
                                                                                    • Part of subcall function 02CE5C72: GetLastError.KERNEL32(771B0A60,771AF550,02CE5E60,02CE3033,771AF550,?,02CD606D,00000104,771B0A60,771AF550,ntdll.dll,?,?,?,02CD6508), ref: 02CE5C74
                                                                                    • Part of subcall function 02CE5C72: __calloc_crt.LIBCMT ref: 02CE5C95
                                                                                    • Part of subcall function 02CE5C72: __initptd.LIBCMT ref: 02CE5CB7
                                                                                    • Part of subcall function 02CE5C72: GetCurrentThreadId.KERNEL32 ref: 02CE5CBE
                                                                                    • Part of subcall function 02CE5C72: SetLastError.KERNEL32(00000000,02CD606D,00000104,771B0A60,771AF550,ntdll.dll,?,?,?,02CD6508), ref: 02CE5CD6
                                                                                  • __calloc_crt.LIBCMT ref: 02CE4AA3
                                                                                  • __get_sys_err_msg.LIBCMT ref: 02CE4AC1
                                                                                  • __invoke_watson.LIBCMT ref: 02CE4ADE
                                                                                  Strings
                                                                                  • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02CE4A8B, 02CE4AB1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                  • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                  • API String ID: 109275364-798102604
                                                                                  • Opcode ID: 90eda8b15ba272c67c312a2947ddaec060b089be6a393dfb2db5a777158051b1
                                                                                  • Instruction ID: 4479d4469e937a59dabc003ab33e567def424d614397b39bd29333acf131c8ca
                                                                                  • Opcode Fuzzy Hash: 90eda8b15ba272c67c312a2947ddaec060b089be6a393dfb2db5a777158051b1
                                                                                  • Instruction Fuzzy Hash: 2EF0E972A80B146BEE39A52A5C40A2B72DEDB80AB4B010526FE4797600E721DD007699
                                                                                  Function 02CD2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2350
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2360
                                                                                  • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CD2370
                                                                                  • GetLastError.KERNEL32 ref: 02CD237A
                                                                                    • Part of subcall function 02CD1712: __EH_prolog.LIBCMT ref: 02CD1717
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                  • String ID: pqcs
                                                                                  • API String ID: 1619523792-2559862021
                                                                                  • Opcode ID: 479c463be226d53ff9bd6486f0c2694182be15180cd1e56a9536f2a76a931388
                                                                                  • Instruction ID: d20555267b7dbbf75785e40284e00055c7b18f79b8af9fe86c5ca786a4c0cc4a
                                                                                  • Opcode Fuzzy Hash: 479c463be226d53ff9bd6486f0c2694182be15180cd1e56a9536f2a76a931388
                                                                                  • Instruction Fuzzy Hash: 35F0F471A40304AFDB60AFB49809BABBBBCEF44605F00466AEA09D3541F7B1DA549BD1
                                                                                  Function 02CD4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD4035
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 02CD4042
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02CD4049
                                                                                  • std::exception::exception.LIBCMT ref: 02CD4063
                                                                                    • Part of subcall function 02CDA6C1: __EH_prolog.LIBCMT ref: 02CDA6C6
                                                                                    • Part of subcall function 02CDA6C1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CDA6D5
                                                                                    • Part of subcall function 02CDA6C1: __CxxThrowException@8.LIBCMT ref: 02CDA6F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                  • String ID: bad allocation
                                                                                  • API String ID: 3112922283-2104205924
                                                                                  • Opcode ID: 6f1d71587f2459082a964a104727f366ca8fe7c766bce31f8d31b5c8d8f69fb6
                                                                                  • Instruction ID: 04fb20a04bbfce1fdc575a66bc83bd9dd2f5d883baba048cd6dbc7b4eac0a52a
                                                                                  • Opcode Fuzzy Hash: 6f1d71587f2459082a964a104727f366ca8fe7c766bce31f8d31b5c8d8f69fb6
                                                                                  • Instruction Fuzzy Hash: 65F082B1E40209EBDB90EFE4C808BAFBB78EF04340F404555EB15A2640DB3452188F91
                                                                                  Function 00403CD4 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStartupInfoA.KERNEL32(?), ref: 00403D2D
                                                                                  • GetFileType.KERNEL32(00000800), ref: 00403DD3
                                                                                  • GetStdHandle.KERNEL32(-000000F6), ref: 00403E2C
                                                                                  • GetFileType.KERNEL32(00000000), ref: 00403E3A
                                                                                  • SetHandleCount.KERNEL32 ref: 00403E71
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandleType$CountInfoStartup
                                                                                  • String ID:
                                                                                  • API String ID: 1710529072-0
                                                                                  • Opcode ID: f982337ddfb62dc50d0dbbad224f25157b3b98fe873585f58ad7db729dbe21f7
                                                                                  • Instruction ID: 179cbcfb0f8150e68f98095ab4b2e92c056dfdbe1ab8c26b2315e3696066d9ad
                                                                                  • Opcode Fuzzy Hash: f982337ddfb62dc50d0dbbad224f25157b3b98fe873585f58ad7db729dbe21f7
                                                                                  • Instruction Fuzzy Hash: 415148716046418BD7218F38CD847567FA8AF11322F15433EE8A2FB3E0C7389A49DB49
                                                                                  Function 02CE1C80 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CE1A50: CloseHandle.KERNEL32(00000000,F7EA2C26), ref: 02CE1AA1
                                                                                    • Part of subcall function 02CE1A50: WaitForSingleObject.KERNEL32(?,000000FF,F7EA2C26,?,?,?,?,F7EA2C26,02CE1A23,F7EA2C26), ref: 02CE1AB8
                                                                                  • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CE1D1E
                                                                                  • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CE1D3E
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02CE1D77
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02CE1DCB
                                                                                  • SetEvent.KERNEL32(?), ref: 02CE1DD2
                                                                                    • Part of subcall function 02CD418C: CloseHandle.KERNEL32(00000000,?,02CE1D05), ref: 02CD41B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 4166353394-0
                                                                                  • Opcode ID: 38a1f51cd43310c3e4a032850fb6c8c63e6e03351eac92fff3d09c95135ae6ef
                                                                                  • Instruction ID: 6f9a761bcf5d41eb2e3f480c618e402482e0015ce517f3f4c234681a94b2a1d4
                                                                                  • Opcode Fuzzy Hash: 38a1f51cd43310c3e4a032850fb6c8c63e6e03351eac92fff3d09c95135ae6ef
                                                                                  • Instruction Fuzzy Hash: 014103316003019BDF269F29CC80B2BB7A4EF85324F180668EC1EDB295D775DE618B91
                                                                                  Function 02CD207F Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD20AC
                                                                                  • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02CD20CD
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD20D8
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 02CD213E
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD21A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1611172436-0
                                                                                  • Opcode ID: 2a45726569798fab9167fd5704e9abbfaae6a694cdeb168ba4a729cac50c7084
                                                                                  • Instruction ID: 4e8c4a46fb5aeae4b7cd051c9392ef1cd14e79c0d171ad942d8c79165663c7bf
                                                                                  • Opcode Fuzzy Hash: 2a45726569798fab9167fd5704e9abbfaae6a694cdeb168ba4a729cac50c7084
                                                                                  • Instruction Fuzzy Hash: 69318D725047019FC315DF25D884A6BF7F9EFC8654F044A1EFA9683651D730E909CBA2
                                                                                  Function 02CDE0EF Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDE0F4
                                                                                    • Part of subcall function 02CD1A01: TlsGetValue.KERNEL32 ref: 02CD1A0A
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CDE173
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CDE18F
                                                                                  • InterlockedIncrement.KERNEL32(02D05190), ref: 02CDE1B4
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CDE1C9
                                                                                    • Part of subcall function 02CD27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02CD284E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1578506061-0
                                                                                  • Opcode ID: 3af468a1a22c143f738140a9670d82a4ce1efc6ccf59e1cd7e4785ab4a150fd3
                                                                                  • Instruction ID: 3af1e1cd0f7a9024b6f6ce6298104c506dfb54f7ecc4ec9d9c62e399ee92351a
                                                                                  • Opcode Fuzzy Hash: 3af468a1a22c143f738140a9670d82a4ce1efc6ccf59e1cd7e4785ab4a150fd3
                                                                                  • Instruction Fuzzy Hash: EC3147B19012049FCB54DFA9C944AAEBBF8FF48310F14855ED649E7601E774AA04CFA0
                                                                                  Function 02CF03A4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 02CF03B0
                                                                                    • Part of subcall function 02CE2FAC: __FF_MSGBANNER.LIBCMT ref: 02CE2FC3
                                                                                    • Part of subcall function 02CE2FAC: __NMSG_WRITE.LIBCMT ref: 02CE2FCA
                                                                                    • Part of subcall function 02CE2FAC: RtlAllocateHeap.NTDLL(00960000,00000000,00000001), ref: 02CE2FEF
                                                                                  • _free.LIBCMT ref: 02CF03C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_free_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1020059152-0
                                                                                  • Opcode ID: 9c99617ff2dac9dac5b9420212a69bbbb17c747edb2bff76a59aca7ef7bde256
                                                                                  • Instruction ID: 57827039a2e465eb5dc42f1c92146f289248b7a8ddb70a512ec656f71b875b20
                                                                                  • Opcode Fuzzy Hash: 9c99617ff2dac9dac5b9420212a69bbbb17c747edb2bff76a59aca7ef7bde256
                                                                                  • Instruction Fuzzy Hash: 66110632804615ABCFE13F70A84475A3B999F40BB8F104525FB1E9B19ADB348950EA90
                                                                                  Function 02CD21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD21DA
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD21ED
                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02CD2224
                                                                                  • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02CD2237
                                                                                  • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02CD2261
                                                                                    • Part of subcall function 02CD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2350
                                                                                    • Part of subcall function 02CD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2360
                                                                                    • Part of subcall function 02CD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CD2370
                                                                                    • Part of subcall function 02CD2341: GetLastError.KERNEL32 ref: 02CD237A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1856819132-0
                                                                                  • Opcode ID: 66604a32c264c0c4b795ef501241a8235487c0d2eb8485212746d6e2fcfb23df
                                                                                  • Instruction ID: e86756f632ff8bb57b3bdcdb574f2fccbfe9433f06819f50f5f9f1ff93acb928
                                                                                  • Opcode Fuzzy Hash: 66604a32c264c0c4b795ef501241a8235487c0d2eb8485212746d6e2fcfb23df
                                                                                  • Instruction Fuzzy Hash: D8117F72D04118EBCB11AFA8D8447AEFFBAFF54310F00452AFA15A3261D7715A25DF91
                                                                                  Function 02CD2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD229D
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CD22B0
                                                                                  • TlsGetValue.KERNEL32 ref: 02CD22E7
                                                                                  • TlsSetValue.KERNEL32(?), ref: 02CD2300
                                                                                  • TlsSetValue.KERNEL32(?,?,?), ref: 02CD231C
                                                                                    • Part of subcall function 02CD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2350
                                                                                    • Part of subcall function 02CD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2360
                                                                                    • Part of subcall function 02CD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CD2370
                                                                                    • Part of subcall function 02CD2341: GetLastError.KERNEL32 ref: 02CD237A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1856819132-0
                                                                                  • Opcode ID: 77ade15e51130814f2a5385d854a0c3f8228c56729ad209ee66e6f990d4fc1d6
                                                                                  • Instruction ID: 68015e538ea141815d72df60867e4a80fb2b06f6e172bd5a6f4a3b18ff2042ba
                                                                                  • Opcode Fuzzy Hash: 77ade15e51130814f2a5385d854a0c3f8228c56729ad209ee66e6f990d4fc1d6
                                                                                  • Instruction Fuzzy Hash: 3B115BB2D00118EBCB119FA9D844AAEFFBAFF98310F00452AE905A3261D7715A25DFD1
                                                                                  Function 02CDBD09 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 02CDB15C: __EH_prolog.LIBCMT ref: 02CDB161
                                                                                  • __CxxThrowException@8.LIBCMT ref: 02CDBD26
                                                                                    • Part of subcall function 02CE455A: RaiseException.KERNEL32(?,?,02CDFB56,?,?,?,?,?,?,?,02CDFB56,?,02D00F98,?), ref: 02CE45AF
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D01DB4,?,00000001), ref: 02CDBD3C
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CDBD4F
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D01DB4,?,00000001), ref: 02CDBD5F
                                                                                  • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CDBD6D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                  • String ID:
                                                                                  • API String ID: 2725315915-0
                                                                                  • Opcode ID: a1e1f7ab53190fcda9859d35a5d5a4df4b31ea2f077bc9bed3d0e8c2b7aacfb2
                                                                                  • Instruction ID: 87b7f7757a769410d4fcc376b7bc00365d22610323f826b22178b679a0230e41
                                                                                  • Opcode Fuzzy Hash: a1e1f7ab53190fcda9859d35a5d5a4df4b31ea2f077bc9bed3d0e8c2b7aacfb2
                                                                                  • Instruction Fuzzy Hash: E1018676A40209AFDB109FA4DC89F8677ADAF04719F004515F716D6690DB64EC588B60
                                                                                  Function 02CD2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CD2432
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CD2445
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD2454
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2469
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD2470
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 747265849-0
                                                                                  • Opcode ID: 4b03e637acfeb7f7c6d6be6abb6062ab71a1dc0616f44bbc02f96a365e2c5d24
                                                                                  • Instruction ID: 25589f864fc36e3a139e5ae7fedb50c81a196b5e459484350a64b5142770f8d8
                                                                                  • Opcode Fuzzy Hash: 4b03e637acfeb7f7c6d6be6abb6062ab71a1dc0616f44bbc02f96a365e2c5d24
                                                                                  • Instruction Fuzzy Hash: 46F01D72640204BBD640ABA5ED49F96B72CFF44711F804515FB01D6881D7A1F924CBE5
                                                                                  Function 02CD1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 02CD1ED2
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02CD1EEA
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD1EF9
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD1F0E
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD1F15
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 830998967-0
                                                                                  • Opcode ID: d68ceab39eb11ad0cc3ee6f74c65f2ad99c36a12b0a7a9386759d08a86c4b117
                                                                                  • Instruction ID: 099797d7cfb0aa253ab8a9c2fb70f17f90f34dea4d026b37ebe42f9a886e376d
                                                                                  • Opcode Fuzzy Hash: d68ceab39eb11ad0cc3ee6f74c65f2ad99c36a12b0a7a9386759d08a86c4b117
                                                                                  • Instruction Fuzzy Hash: FFF06732640204BBDB40AFA1EC88FC6BB2CFF04311F000516F30186840DB71AA288BE0
                                                                                  Function 02CD8746 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID: invalid string position$string too long
                                                                                  • API String ID: 4104443479-4289949731
                                                                                  • Opcode ID: 8bd7cc7468775f69947d98ef4c8dd94fc5423e1f125ae618aca3c3cfed565a18
                                                                                  • Instruction ID: 4cd24093ae9077a6bf54d3923b16b89dc846bb2d39cd72ce09c75f54cab7f21f
                                                                                  • Opcode Fuzzy Hash: 8bd7cc7468775f69947d98ef4c8dd94fc5423e1f125ae618aca3c3cfed565a18
                                                                                  • Instruction Fuzzy Hash: 3D419371700344ABDB24DE69DC84A6AB7BAEF81754B100A2DFA5687780C770E946CBA1
                                                                                  Function 02CD30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 02CD30C3
                                                                                  • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02CD3102
                                                                                  • _memcmp.LIBCMT ref: 02CD3141
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastString_memcmp
                                                                                  • String ID: 255.255.255.255
                                                                                  • API String ID: 1618111833-2422070025
                                                                                  • Opcode ID: 3242154ee7541b5551be7e69c7ec0f4b84c1045c970e3f083b2f7fb136653885
                                                                                  • Instruction ID: 85528dd7233c12505d59487668cf6a4d4ffffd979744b573d86a50b2adf75472
                                                                                  • Opcode Fuzzy Hash: 3242154ee7541b5551be7e69c7ec0f4b84c1045c970e3f083b2f7fb136653885
                                                                                  • Instruction Fuzzy Hash: 9931B572E00349DFDF209F64CC8076EB7A5BF85324F1045A9EA5657280E7B19A45CF91
                                                                                  Function 02CD1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD1F5B
                                                                                  • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02CD1FC5
                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 02CD1FD2
                                                                                    • Part of subcall function 02CD1712: __EH_prolog.LIBCMT ref: 02CD1717
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                  • String ID: iocp
                                                                                  • API String ID: 998023749-976528080
                                                                                  • Opcode ID: 95380c5716438a4a793118211a5f4405cfeea42b3bdf28fc1c36feccc06582ef
                                                                                  • Instruction ID: 1cc3ffa52186f9de188d2e396e63c895f511cd78f3ea0d67cf52a1bdea0ecc2c
                                                                                  • Opcode Fuzzy Hash: 95380c5716438a4a793118211a5f4405cfeea42b3bdf28fc1c36feccc06582ef
                                                                                  • Instruction Fuzzy Hash: EC21B4B1901B449FC760DF6AC54455BFBF8FF94720B108A1FE5AA83A60D7B0A604CF91
                                                                                  Function 02CD37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD37B6
                                                                                  • __localtime64.LIBCMT ref: 02CD37C1
                                                                                    • Part of subcall function 02CE2600: __gmtime64_s.LIBCMT ref: 02CE2613
                                                                                  • std::exception::exception.LIBCMT ref: 02CD37D9
                                                                                    • Part of subcall function 02CE24D3: std::exception::_Copy_str.LIBCMT ref: 02CE24EC
                                                                                    • Part of subcall function 02CDA51F: __EH_prolog.LIBCMT ref: 02CDA524
                                                                                    • Part of subcall function 02CDA51F: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CDA533
                                                                                    • Part of subcall function 02CDA51F: __CxxThrowException@8.LIBCMT ref: 02CDA552
                                                                                  Strings
                                                                                  • could not convert calendar time to UTC time, xrefs: 02CD37CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                  • String ID: could not convert calendar time to UTC time
                                                                                  • API String ID: 1963798777-2088861013
                                                                                  • Opcode ID: 0791eae41e8f02b4ba39451fea02da7995285bf6819cf8633ef5c96203fb62fa
                                                                                  • Instruction ID: b260db19c190fb117cd3c1bd7ffc818bc75a450f60c3467fa31fdfd8c51d8a63
                                                                                  • Opcode Fuzzy Hash: 0791eae41e8f02b4ba39451fea02da7995285bf6819cf8633ef5c96203fb62fa
                                                                                  • Instruction Fuzzy Hash: 17E06DF1D002099BCF80EFA4D9007EFBBBAEF04340F40469ADA16A2540EB3446099F85
                                                                                  Function 0040315A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,00402E6A), ref: 0040315F
                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040316F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                  • API String ID: 1646373207-3105848591
                                                                                  • Opcode ID: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                  • Instruction ID: 396ae008ee37b43aaac66eedf252cb0d6854bca9fd0baad0eaa83bc1c4717f20
                                                                                  • Opcode Fuzzy Hash: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                  • Instruction Fuzzy Hash: 14C01270380B00A6EA201FB20F0AB2628AC1B48B03F1800BEA289F81C0CE7CC600843D
                                                                                  Function 00404C1C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040403A), ref: 00404C3D
                                                                                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040403A), ref: 00404C61
                                                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040403A), ref: 00404C7B
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040403A), ref: 00404D3C
                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040403A), ref: 00404D53
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual$FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 714016831-0
                                                                                  • Opcode ID: d30a978d9bc7417a469256f3e8976692263147ba1eac3779cca18a805df5e5ef
                                                                                  • Instruction ID: 8342ab3d1522dc40559259ebd5fae4daf869060c5d00d2c0d6368defdd81eeaa
                                                                                  • Opcode Fuzzy Hash: d30a978d9bc7417a469256f3e8976692263147ba1eac3779cca18a805df5e5ef
                                                                                  • Instruction Fuzzy Hash: C531C2B15417019BE3248F24EE45B22B7E0EB88755F11863AEA55B73E1EB78A804CB5C
                                                                                  Function 0040443E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualFree.KERNEL32(?,00008000,00004000,771ADFF0,?,00000000), ref: 00404696
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004046F1
                                                                                  • HeapFree.KERNEL32(00000000,?), ref: 00404703
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$Virtual$Heap
                                                                                  • String ID: 4/@
                                                                                  • API String ID: 2016334554-3101945251
                                                                                  • Opcode ID: 199a36f977281599ad5afd87853ae24f4074e0c008a667361992956c0e030d6f
                                                                                  • Instruction ID: 78bd1f862fe0b28b52f27270d0fa5238b1a9d3d64e45df471a1af09ca5d00069
                                                                                  • Opcode Fuzzy Hash: 199a36f977281599ad5afd87853ae24f4074e0c008a667361992956c0e030d6f
                                                                                  • Instruction Fuzzy Hash: 95B19EB4A01205DFDB14DF44CAD0A69BBA1FB88318F24C1AEDA196F392C735ED45CB84
                                                                                  Function 02CEC3E9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AdjustPointer_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 1721217611-0
                                                                                  • Opcode ID: e8c17aa6f43d894e80099ceae441b1f26c5332479355692335b213fd077583d6
                                                                                  • Instruction ID: c23f1e43ac554b45b56f3ce22ae44d8205e9ec312f84c0ec5ccf403598e22052
                                                                                  • Opcode Fuzzy Hash: e8c17aa6f43d894e80099ceae441b1f26c5332479355692335b213fd077583d6
                                                                                  • Instruction Fuzzy Hash: 174197766093029EEF255E65D881BBA73E99F81354F28002FF947861E0DB75D780EF50
                                                                                  Function 02CE1320 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02CD4149), ref: 02CE13BF
                                                                                    • Part of subcall function 02CD3FDC: __EH_prolog.LIBCMT ref: 02CD3FE1
                                                                                    • Part of subcall function 02CD3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02CD3FF3
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CE13B4
                                                                                  • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02CD4149), ref: 02CE1400
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02CD4149), ref: 02CE14D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$Event$CreateH_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 2825413587-0
                                                                                  • Opcode ID: 950ee1eb4fa305a5f342bc98d4fd268d2775344f2952660ab4f2dcdd65d2aa6c
                                                                                  • Instruction ID: 3f7767f182481d2843ee5cd86c9832096b94df7d223dcdcfa384cb630417d3c9
                                                                                  • Opcode Fuzzy Hash: 950ee1eb4fa305a5f342bc98d4fd268d2775344f2952660ab4f2dcdd65d2aa6c
                                                                                  • Instruction Fuzzy Hash: B951A0B16003458BDF11DF28C88475ABBE4AF88328F194728E96E97390E775EE15CB91
                                                                                  Function 02CE37AD Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2782032738-0
                                                                                  • Opcode ID: 0f85ed940c6d56133a0b6a9dcb7d8327fee3612a615be86a27bf3e8a21ccc4b7
                                                                                  • Instruction ID: 33afcfb86b394b4eab7cda819501bb9c6e0b1e9c185ba8aa73c14cf01f5c35fa
                                                                                  • Opcode Fuzzy Hash: 0f85ed940c6d56133a0b6a9dcb7d8327fee3612a615be86a27bf3e8a21ccc4b7
                                                                                  • Instruction Fuzzy Hash: 7541B671B00786ABDF388E69C89157E77A6EF84354B1481BEE827C7280D771FA41CB40
                                                                                  Function 02CEFF15 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02CEFF4B
                                                                                  • __isleadbyte_l.LIBCMT ref: 02CEFF79
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02CEFFA7
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02CEFFDD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                  • String ID:
                                                                                  • API String ID: 3058430110-0
                                                                                  • Opcode ID: ccb946d3b07bb2922889635d032193f6442793abf1728d41a165e6ad9388947f
                                                                                  • Instruction ID: ef2784a3b9acc8d5c06ad93ba8b6fafb74b135675cbcd6ecc2628a1815690924
                                                                                  • Opcode Fuzzy Hash: ccb946d3b07bb2922889635d032193f6442793abf1728d41a165e6ad9388947f
                                                                                  • Instruction Fuzzy Hash: 8931E132600246AFDF218F75C844BAABBFAFF82314F15806DF86687590D732D951DB92
                                                                                  Function 02CD3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • htons.WS2_32(?), ref: 02CD3DA2
                                                                                    • Part of subcall function 02CD3BD3: __EH_prolog.LIBCMT ref: 02CD3BD8
                                                                                    • Part of subcall function 02CD3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02CD3BED
                                                                                  • htonl.WS2_32(00000000), ref: 02CD3DB9
                                                                                  • htonl.WS2_32(00000000), ref: 02CD3DC0
                                                                                  • htons.WS2_32(?), ref: 02CD3DD4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                  • String ID:
                                                                                  • API String ID: 3882411702-0
                                                                                  • Opcode ID: 9a75d0366e0a189948a7705a1de66f75615c7212ef952f8833b4acfc35576d5a
                                                                                  • Instruction ID: c1e15bff8b5aab192f63a59eb30ca2804019ca22e5ab1794223e182d36b7e6ad
                                                                                  • Opcode Fuzzy Hash: 9a75d0366e0a189948a7705a1de66f75615c7212ef952f8833b4acfc35576d5a
                                                                                  • Instruction Fuzzy Hash: 7311A535910249EFCF019F64D885A9AB7B9FF49310F008496FE09DF205D771DA18CBA1
                                                                                  Function 02CD239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02CD23D0
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD23DE
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD2401
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD2408
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 4018804020-0
                                                                                  • Opcode ID: 142a8ff69f6fc2c1adf523ac6e051dc24f15902cf250fc40bec5881e19249e24
                                                                                  • Instruction ID: e4f3979ce6da6d295771940acee4ce826ffe0af920191a7828e6135fe93afdba
                                                                                  • Opcode Fuzzy Hash: 142a8ff69f6fc2c1adf523ac6e051dc24f15902cf250fc40bec5881e19249e24
                                                                                  • Instruction Fuzzy Hash: 4311CE31600204ABDB109F61D984B67BBB8FF80709F1044ADEA019B501E7B1F915DBA1
                                                                                  Function 02CEC83B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                  • String ID:
                                                                                  • API String ID: 3016257755-0
                                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                  • Instruction ID: d30a49a7db17c6f6088bbd040b338cd0f57788b8d1f1522a8f31f77a9027e011
                                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                  • Instruction Fuzzy Hash: BD010B3600014AFBCF266E94DD41CEE3F76BF58354B488456FE2A59131D336CAB1AB81
                                                                                  Function 02CD247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CD24A9
                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02CD24B8
                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02CD24CD
                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02CD24D4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                  • String ID:
                                                                                  • API String ID: 4018804020-0
                                                                                  • Opcode ID: 5244cce1bd65054e7d3507d707c0e12a99b157e5337b92426a23cb2454938e43
                                                                                  • Instruction ID: 18e401e3e8aba51c37a694a860c3bf8db9f6f452558d053fc159498c6cac15ae
                                                                                  • Opcode Fuzzy Hash: 5244cce1bd65054e7d3507d707c0e12a99b157e5337b92426a23cb2454938e43
                                                                                  • Instruction Fuzzy Hash: 72F03C72640205AFDB409FA9E844F9ABBACFF44711F004519FB05CA541D7B1E5648FE1
                                                                                  Function 02CD2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD2009
                                                                                  • RtlDeleteCriticalSection.NTDLL(?), ref: 02CD2028
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CD2037
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02CD204E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                  • String ID:
                                                                                  • API String ID: 2456309408-0
                                                                                  • Opcode ID: e7d63efef3b80e7ec638ccf1529705496386a9a400e97f3264289475f64b4016
                                                                                  • Instruction ID: 5e02dbf5813e3ca422079119aee48ffd3ede05661610390d2a978ab409af84e9
                                                                                  • Opcode Fuzzy Hash: e7d63efef3b80e7ec638ccf1529705496386a9a400e97f3264289475f64b4016
                                                                                  • Instruction Fuzzy Hash: 700181715007049FC768AF54E9087AAFBF5FF04309F404A5EEB4682990CB756658CF95
                                                                                  Function 02CD1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Event$H_prologSleep
                                                                                  • String ID:
                                                                                  • API String ID: 1765829285-0
                                                                                  • Opcode ID: f9bd878c2118b10a40c15a14d7b67ee406f041e420a8935a9cfd845da767985c
                                                                                  • Instruction ID: 0c33dc48c4d9294b1b9b2ef7479fdfa9986b679ce7282e0193419883f5e3fba4
                                                                                  • Opcode Fuzzy Hash: f9bd878c2118b10a40c15a14d7b67ee406f041e420a8935a9cfd845da767985c
                                                                                  • Instruction Fuzzy Hash: D4F03035640110DFCB409F98D8C8B98BBA4FF09311F4082A9F7199B290C7759958CB91
                                                                                  Function 02CD9F4C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memmove
                                                                                  • String ID: &'
                                                                                  • API String ID: 3529519853-655172784
                                                                                  • Opcode ID: 1bebf73e8fbe64112aacda0058d796356bb721ee1854122f06376db254bb3cd6
                                                                                  • Instruction ID: 712d78163fe1cef00954154dfb966cf932984392aa3ecdbe8071749b75213af9
                                                                                  • Opcode Fuzzy Hash: 1bebf73e8fbe64112aacda0058d796356bb721ee1854122f06376db254bb3cd6
                                                                                  • Instruction Fuzzy Hash: B6618071D00209DFDF20DFA4C981AEDFBB6AF48310F14416AD619BB250D771AA05DFA1
                                                                                  Function 0040602F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 00406043
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: Info
                                                                                  • String ID: $
                                                                                  • API String ID: 1807457897-3032137957
                                                                                  • Opcode ID: 4125000c220d58311b25746a099467f0aeb8d9ceb46d36609f93bdf2855c5de6
                                                                                  • Instruction ID: 6f3342e17374a5810591d20bb46fecf62595c420ec24c73dd14930592398f9d2
                                                                                  • Opcode Fuzzy Hash: 4125000c220d58311b25746a099467f0aeb8d9ceb46d36609f93bdf2855c5de6
                                                                                  • Instruction Fuzzy Hash: 70410731004258AEEB219718DD99BFB7FD9DB02704F1501F6D54AFB1D3C23949648BAA
                                                                                  Function 02CDCCA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CDCCAB
                                                                                    • Part of subcall function 02CDD287: std::exception::exception.LIBCMT ref: 02CDD2B6
                                                                                    • Part of subcall function 02CDDA3D: __EH_prolog.LIBCMT ref: 02CDDA42
                                                                                    • Part of subcall function 02CE3B4C: _malloc.LIBCMT ref: 02CE3B64
                                                                                    • Part of subcall function 02CDD2E6: __EH_prolog.LIBCMT ref: 02CDD2EB
                                                                                  Strings
                                                                                  • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02CDCCE1
                                                                                  • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CDCCE8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$_mallocstd::exception::exception
                                                                                  • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                  • API String ID: 1953324306-1943798000
                                                                                  • Opcode ID: 774d42612732dcb4a08467dade7b147e6914f7b182c46d21e15e8183c0a9486a
                                                                                  • Instruction ID: 3a362c5ba2307759be33be2b52a03295716d5c9194903ed97acfdac889e1d868
                                                                                  • Opcode Fuzzy Hash: 774d42612732dcb4a08467dade7b147e6914f7b182c46d21e15e8183c0a9486a
                                                                                  • Instruction Fuzzy Hash: EA219171E00244ABDB04EFA8D954BEEBBB5EF44700F00445DEA06AB350DB709A04DB51
                                                                                  Function 02CD534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 02CD535D
                                                                                    • Part of subcall function 02CE2FAC: __FF_MSGBANNER.LIBCMT ref: 02CE2FC3
                                                                                    • Part of subcall function 02CE2FAC: __NMSG_WRITE.LIBCMT ref: 02CE2FCA
                                                                                    • Part of subcall function 02CE2FAC: RtlAllocateHeap.NTDLL(00960000,00000000,00000001), ref: 02CE2FEF
                                                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02CD536F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                  • String ID: \save.dat
                                                                                  • API String ID: 4128168839-3580179773
                                                                                  • Opcode ID: 771514c7f6368ae87b452249a1cf9982fffec57fad980b993943a3bdca355e9d
                                                                                  • Instruction ID: 44fbba0ccd91688f702823ec3fe827978d4faad059f4fb6c636dfab2c04c1a0b
                                                                                  • Opcode Fuzzy Hash: 771514c7f6368ae87b452249a1cf9982fffec57fad980b993943a3bdca355e9d
                                                                                  • Instruction Fuzzy Hash: 9B1190729043442BDF258E658C84E6FFF6BDFC3690B1041ECE94A67201D7A31E02D7A0
                                                                                  Function 02CD3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD396A
                                                                                  • std::runtime_error::runtime_error.LIBCPMT ref: 02CD39C1
                                                                                    • Part of subcall function 02CD1410: std::exception::exception.LIBCMT ref: 02CD1428
                                                                                    • Part of subcall function 02CDA615: __EH_prolog.LIBCMT ref: 02CDA61A
                                                                                    • Part of subcall function 02CDA615: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CDA629
                                                                                    • Part of subcall function 02CDA615: __CxxThrowException@8.LIBCMT ref: 02CDA648
                                                                                  Strings
                                                                                  • Day of month is not valid for year, xrefs: 02CD39AC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                  • String ID: Day of month is not valid for year
                                                                                  • API String ID: 1404951899-1521898139
                                                                                  • Opcode ID: 0b4028010c2d8c27e8aee205544b74293844c952aeb7ffc058da66a68b6fc9b5
                                                                                  • Instruction ID: ad01ba43c44d66b877318e4fad72ddd5360106283764c09039a33d0707412d3b
                                                                                  • Opcode Fuzzy Hash: 0b4028010c2d8c27e8aee205544b74293844c952aeb7ffc058da66a68b6fc9b5
                                                                                  • Instruction Fuzzy Hash: 4201B17A910209AADF04EFA4D801AEEBB79FF18710F40441BEE0493200EB704A45EBA5
                                                                                  Function 02CDB0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::exception::exception.LIBCMT ref: 02CDFB0E
                                                                                  • __CxxThrowException@8.LIBCMT ref: 02CDFB23
                                                                                    • Part of subcall function 02CE3B4C: _malloc.LIBCMT ref: 02CE3B64
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                  • String ID: bad allocation
                                                                                  • API String ID: 4063778783-2104205924
                                                                                  • Opcode ID: c1a58013a006c5e1ae0836cf675a5297ab2edf7dc39f508ae01b449d2fa6771c
                                                                                  • Instruction ID: 35d903c5271cdcbba52ffc287b6cb89b818921b5479b08fd08c53afcb52746ca
                                                                                  • Opcode Fuzzy Hash: c1a58013a006c5e1ae0836cf675a5297ab2edf7dc39f508ae01b449d2fa6771c
                                                                                  • Instruction Fuzzy Hash: 94F02EB060030D779F14EA988C45AAF73ECAF04644F40055AE626D76C0EF70EE049595
                                                                                  Function 02CD3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD3C1B
                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 02CD3C30
                                                                                    • Part of subcall function 02CE24B7: std::exception::exception.LIBCMT ref: 02CE24C1
                                                                                    • Part of subcall function 02CDA64E: __EH_prolog.LIBCMT ref: 02CDA653
                                                                                    • Part of subcall function 02CDA64E: __CxxThrowException@8.LIBCMT ref: 02CDA67C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                  • String ID: bad cast
                                                                                  • API String ID: 1300498068-3145022300
                                                                                  • Opcode ID: 8b909d4842ad6ba8510f6db7289ecf44ac08da0fd9f57f326e032750acbf8421
                                                                                  • Instruction ID: 125c6f861a7bf1f2e1f34c2cf26e5676e9a40f0dc300bb2c2af55168e4ee3b33
                                                                                  • Opcode Fuzzy Hash: 8b909d4842ad6ba8510f6db7289ecf44ac08da0fd9f57f326e032750acbf8421
                                                                                  • Instruction Fuzzy Hash: B0F0A0729005048BCB09DF58D440AEAB779EF95311F1001AEEF065B240CBB29A4ADA91
                                                                                  Function 02CD38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD38D2
                                                                                  • std::runtime_error::runtime_error.LIBCPMT ref: 02CD38F1
                                                                                    • Part of subcall function 02CD1410: std::exception::exception.LIBCMT ref: 02CD1428
                                                                                    • Part of subcall function 02CD8983: _memmove.LIBCMT ref: 02CD89A3
                                                                                  Strings
                                                                                  • Year is out of valid range: 1400..10000, xrefs: 02CD38E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                  • String ID: Year is out of valid range: 1400..10000
                                                                                  • API String ID: 3258419250-2344417016
                                                                                  • Opcode ID: e61ee7a99fc700b5ffe41dd00cc2b128a3c4163761e59a6900c157399a0a08f6
                                                                                  • Instruction ID: dcdf218af8615769989af711cf513591eae35993f6821fec7f7e4a3bbf48a95e
                                                                                  • Opcode Fuzzy Hash: e61ee7a99fc700b5ffe41dd00cc2b128a3c4163761e59a6900c157399a0a08f6
                                                                                  • Instruction Fuzzy Hash: 33E0D872E001045BD794EBD88C117EDB7B9DB08710F04055ADB06636C0DAF21944DBD1
                                                                                  Function 02CD3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD3886
                                                                                  • std::runtime_error::runtime_error.LIBCPMT ref: 02CD38A5
                                                                                    • Part of subcall function 02CD1410: std::exception::exception.LIBCMT ref: 02CD1428
                                                                                    • Part of subcall function 02CD8983: _memmove.LIBCMT ref: 02CD89A3
                                                                                  Strings
                                                                                  • Day of month value is out of range 1..31, xrefs: 02CD3894
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                  • String ID: Day of month value is out of range 1..31
                                                                                  • API String ID: 3258419250-1361117730
                                                                                  • Opcode ID: 783e8e48c522647e86db5d2c373fd8dd1fe8093dd4d079c34ea3eb667acca3b3
                                                                                  • Instruction ID: e31e1e823116b259287c19f1ab5f838fde71c2d97a8d4279c884ddd888b1e002
                                                                                  • Opcode Fuzzy Hash: 783e8e48c522647e86db5d2c373fd8dd1fe8093dd4d079c34ea3eb667acca3b3
                                                                                  • Instruction Fuzzy Hash: 0FE0D872F0010457D754ABD88C11BEDB7B9DB08B50F44055ADB0663680DAF21944DBD1
                                                                                  Function 02CD3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD391E
                                                                                  • std::runtime_error::runtime_error.LIBCPMT ref: 02CD393D
                                                                                    • Part of subcall function 02CD1410: std::exception::exception.LIBCMT ref: 02CD1428
                                                                                    • Part of subcall function 02CD8983: _memmove.LIBCMT ref: 02CD89A3
                                                                                  Strings
                                                                                  • Month number is out of range 1..12, xrefs: 02CD392C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                  • String ID: Month number is out of range 1..12
                                                                                  • API String ID: 3258419250-4198407886
                                                                                  • Opcode ID: d000ca4b8fe87cd884ad452ef56a98cc4a46074c8f5c25a298d167b36bd9221e
                                                                                  • Instruction ID: 2c8097036cca8e06c4cc60565909ffcb5450afca9586e37e44edb89301386b81
                                                                                  • Opcode Fuzzy Hash: d000ca4b8fe87cd884ad452ef56a98cc4a46074c8f5c25a298d167b36bd9221e
                                                                                  • Instruction Fuzzy Hash: 3BE0D872E0010497DB58BBD8CC117EDB7B9DB08710F04055BDB0663680DAF21944DBD5
                                                                                  Function 02CD19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsAlloc.KERNEL32 ref: 02CD19CC
                                                                                  • GetLastError.KERNEL32 ref: 02CD19D9
                                                                                    • Part of subcall function 02CD1712: __EH_prolog.LIBCMT ref: 02CD1717
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocErrorH_prologLast
                                                                                  • String ID: tss
                                                                                  • API String ID: 249634027-1638339373
                                                                                  • Opcode ID: 9899c901e5227c0ede8950b6e33eb7e8478d490a24656e5a39a303c282161607
                                                                                  • Instruction ID: f5fb7afa287c9befb1f6349ce54c2858d223f629804f79ab38b88fb185b88abd
                                                                                  • Opcode Fuzzy Hash: 9899c901e5227c0ede8950b6e33eb7e8478d490a24656e5a39a303c282161607
                                                                                  • Instruction Fuzzy Hash: 5AE08632D142145BC3007B78D80818FFBA49A85274F108B66EEA9936D0EA7049549BC2
                                                                                  Function 02CD3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 02CD3BD8
                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 02CD3BED
                                                                                    • Part of subcall function 02CE24B7: std::exception::exception.LIBCMT ref: 02CE24C1
                                                                                    • Part of subcall function 02CDA64E: __EH_prolog.LIBCMT ref: 02CDA653
                                                                                    • Part of subcall function 02CDA64E: __CxxThrowException@8.LIBCMT ref: 02CDA67C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2601842045.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_2cd1000_dpfreevideoconverter3264.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                  • String ID: bad cast
                                                                                  • API String ID: 1300498068-3145022300
                                                                                  • Opcode ID: 082944f69f1f059c13374d8385069a6beda53660a0b9cc36791edbf4c8dd852b
                                                                                  • Instruction ID: 30656625581d2ef6a6293103d28208a0e1d22c5175f5209da8e8381b7f6d4c09
                                                                                  • Opcode Fuzzy Hash: 082944f69f1f059c13374d8385069a6beda53660a0b9cc36791edbf4c8dd852b
                                                                                  • Instruction Fuzzy Hash: 67E04671900108EBCB58EF98D951BBDBBB5EF54300F4080ADAF0757790CB765A4ADE82
                                                                                  Function 00404A70 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404A98
                                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404ACC
                                                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AE6
                                                                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.2599449034.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000003.00000002.2599449034.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_dpfreevideoconverter3264.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap$FreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3499195154-0
                                                                                  • Opcode ID: ce4ada8b902dfebd710317009954046d05cbabe247724abee2a5f00560661e15
                                                                                  • Instruction ID: dc67fb346d5d76982e704de85eb446c967f6762947f7574792f270977e83cdee
                                                                                  • Opcode Fuzzy Hash: ce4ada8b902dfebd710317009954046d05cbabe247724abee2a5f00560661e15
                                                                                  • Instruction Fuzzy Hash: 641113B0201702EFC7209F69EE85A227BB5FB857217114A3AE692E65F1D770A845CB48